diff --git a/explore-analyze/dashboards/using.md b/explore-analyze/dashboards/using.md index 68ed39e28d..55337cb814 100644 --- a/explore-analyze/dashboards/using.md +++ b/explore-analyze/dashboards/using.md @@ -1,6 +1,7 @@ --- mapped_pages: - https://www.elastic.co/guide/en/kibana/current/_use_and_filter_dashboards.html +description: Learn how to explore and interact with Kibana dashboards using filters, time ranges, and controls to uncover insights in your data. applies_to: stack: ga serverless: ga @@ -10,6 +11,11 @@ products: # Exploring dashboards [_use_and_filter_dashboards] +Kibana dashboards support filtering, time range adjustments, and interactive controls that let you focus on specific data segments or time periods. + +This page covers the main ways to explore dashboard data: using KQL queries, filter pills, time ranges, and dashboard controls. You'll also learn how to view underlying data and switch between different display modes. + + ## Search and filter your dashboard data [search-or-filter-your-data] @@ -23,6 +29,20 @@ products: This section shows the most common ways for you to filter dashboard data. For more information about {{kib}} and {{es}} filtering capabilities, refer to [](/explore-analyze/query-filter.md). +### Filter dashboards using the KQL query bar [_filter_dashboards_using_the_kql_query_bar] + +The query bar lets you build filters using [{{kib}} Query Language (KQL)](../query-filter/languages/kql.md). When typing, it dynamically suggests matching fields, operators, and values to help you get the exact results that you want. + +You can use KQL to create complex queries that filter your dashboard data. For example: +- `status:error` to show only error records +- `response_time > 1000` to display requests slower than 1 second +- `user.name:"john doe" AND status:active` to combine multiple conditions + +:::{tip} +:applies_to: {"stack": "preview 9.2", "serverless": "unavailable"} +When working with large datasets, complex KQL queries might cause dashboards to load slowly. In versions 9.2 and later, you can [send long-running searches to the background](../discover/background-search.md) and continue working on other tasks while the data loads. +::: + ### Use filter pills [_use_filter_pills] diff --git a/explore-analyze/discover/background-search.md b/explore-analyze/discover/background-search.md new file mode 100644 index 0000000000..ecb741cfa4 --- /dev/null +++ b/explore-analyze/discover/background-search.md @@ -0,0 +1,111 @@ +--- +navigation_title: "Run queries in the background" +mapped_pages: + - https://www.elastic.co/guide/en/kibana/current/search-sessions.html +applies_to: + stack: preview 9.2 + serverless: unavailable +products: + - id: kibana +description: Send your long-running queries to run in the background with background searches and search sessions, and focus on your other tasks while they complete. +--- + +# Run Discover and Dashboards queries in the background + +::::{important} - Background search replaces Search sessions + +Background search is a feature introduced in version 9.2. It replaces the deprecated **Search sessions** feature. +If you have been using search sessions and upgrade to 9.2, your search sessions aren't lost and become background searches. +:::: + +Sometimes you might need to search through large amounts of data, no matter how long the search takes. Consider a threat hunting scenario, where you need to search through years of data. + +You can send your long-running searches to the background from **Discover** or **Dashboards** and let them run while you continue your work. + +You can access your list of background searches at any time to check their status and manage them from the {icon}`background_task` **Background searches** button in the toolbar. + +![Send search to background](https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/bltee31dcf0d3917c75/68ecf412e5bae49d65a286ff/background-search.gif " =75%") + + +## Enable background searches + +This feature is disabled by default. You can enable background searches in versions 9.2 and later, or search sessions in versions 9.1 and earlier, by setting [`data.search.sessions.enabled`](kibana://reference/configuration-reference/search-sessions-settings.md) to `true` in the [`kibana.yml`](/deploy-manage/stack-settings.md) configuration file. + +:::{note} - Exception for search sessions users +If you upgrade to version 9.2 or later with search sessions enabled in the version you upgrade from, background searches are automatically enabled. +::: + +## Usage requirements [_requirements] + +The background searches that you run are personal and only visible by you. To use this feature, you must have the following minimum permissions: + +:::::{tab-set} +:group: background search + +::::{tab-item} 9.2 and later +:sync: 92 +To send searches to the background, and to view and interact with the list of background searches from **Discover** and **Dashboards** apps, you must have permissions for **Discover** and **Dashboard**, and for the [Background search subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges). +:::: + +::::{tab-item} 9.1 and earlier +:sync: 91 +In versions 9.1 and earlier, this feature is named **Search sessions**. +* To save a session, you must have permissions for **Discover** and **Dashboard**, and the [Search sessions subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges). +* To view and restore a saved session, you must have access to **Stack Management**. +:::: + +::::: + +## Send a search to the background + +You can send a search to the background only after it starts running. Until then, the **Send to background** button is disabled. + +1. Write or edit the query. + +1. Select {icon}`play` **Run** (or {icon}`refresh` **Refresh** if you already ran the query at least once) to start executing the query. At this point, the {icon}`background_task` **Send to background** button becomes available. + +1. Select {icon}`background_task` **Send to background**. The search is sent to the background and added to the queue of background searches. + +You can resume your other tasks, for example start a new search, navigate to a different application, or close the browser. Once the search has completed, a notification informs you and lets you access the search to view its results. + +Background searches expire after 7 days. Beyond that period, you must run the search again. You can change this default value by editing the [`data.search.sessions.defaultExpiration`](kibana://reference/configuration-reference/search-sessions-settings.md) setting. + +## Reopen or manage background searches + +From the list of background searches, you can reopen and edit any searches, but also extend their validity period or delete them to keep only searches that you care about. + +1. Open your list of background searches using one of the following methods: + - Once a background search is sent to the background, a notification appears to inform you, with a link to open the list of background searches. + - If you miss the notification or need to access this list at any time, go to **Discover** or **Dashboards** and select the {icon}`background_task` **Background searches** button in the toolbar. This option is only available from version 9.2. + + :::{tip} + From **Discover**, you can only view Discover background searches. And from **Dashboards**, you can only see Dashboards background searches. + ::: + - Open the **Background Search** management page in {{kib}}. + +1. Find the background search that you want to interact with using the search or status filter options. + - To open it to view its results and continue your explorations, select its name. Relative dates are converted to absolute dates. + - To rename it, select the {icon}`boxes_horizontal` **More actions** button, then select {icon}`pencil` **Edit name**. By default, background searches get default names that indicate their execution date and time. + - To extend its current expiration date by another 7 days, select the {icon}`boxes_horizontal` More actions button, then select **Extend**. + - To delete it, select the {icon}`boxes_horizontal` More actions button, then select {icon}`trash` **Delete**. + + +## Background search limitations in dashboards [_limitations] + +Some visualization features do not fully support background searches. When you restore a dashboard, panels with unsupported features won’t load immediately, but instead send out additional data requests, which can take a while to complete. The **Your background search is still running** warning appears. You can either wait for these additional requests to complete or come back to the dashboard later when all data requests have finished. + +A panel on a dashboard can behave like this if one of the following features is used: + +**Lens** + +* A **top values** dimension with an enabled **Group other values as "Other"** setting. This is configurable in the **Advanced** section of the dimension. +* An **intervals** dimension. + +**Aggregation-based** visualizations + +* A **terms** aggregation with an enabled **Group other values in separate bucket** setting. +* A **histogram** aggregation. + +**Maps** + +* Layers using joins, blended layers, or tracks layers. \ No newline at end of file diff --git a/explore-analyze/discover/discover-get-started.md b/explore-analyze/discover/discover-get-started.md index 461114f1b1..5307bf49c0 100644 --- a/explore-analyze/discover/discover-get-started.md +++ b/explore-analyze/discover/discover-get-started.md @@ -308,6 +308,14 @@ Learn more about how to use ES|QL queries in [Using ES|QL](try-esql.md). :::{include} ../_snippets/inspect-request.md ::: +### Run long-running queries in the background +```{applies_to} +stack: ga 9.2 +serverless: unavailable +``` + +You can send your long-running KQL or {{esql}} queries to the background from **Discover** and let them run while you continue exploring your data. Refer to [Run queries in the background](/explore-analyze/discover/background-search.md). + ### Save your Discover session for later use [save-discover-search] diff --git a/explore-analyze/discover/search-sessions.md b/explore-analyze/discover/search-sessions.md deleted file mode 100644 index b7bf67c0d9..0000000000 --- a/explore-analyze/discover/search-sessions.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -mapped_pages: - - https://www.elastic.co/guide/en/kibana/current/search-sessions.html -applies_to: - stack: ga - serverless: ga -products: - - id: kibana ---- - -# Run a search session in the background [search-sessions] - -::::{admonition} Deprecated and disabled by default -Search Sessions are deprecated. They are disabled by default and will be removed in a future version. You can enable search sessions again by setting [`data.search.sessions.enabled`](kibana://reference/configuration-reference/search-sessions-settings.md) to `true` in the [`kibana.yml`](/deploy-manage/stack-settings.md) configuration file. -:::: - - -Sometimes you might need to search through large amounts of data, no matter how long the search takes. Consider a threat hunting scenario, where you need to search through years of data. You can save a long-running search, so {{kib}} processes your request in the background, and you can continue your work. - -Save your search session from **Discover** or **Dashboard**, and when your session is complete, view and manage it in **Stack Management**. Search sessions are [enabled by default](kibana://reference/configuration-reference/search-sessions-settings.md). - -:::{image} /explore-analyze/images/kibana-search-session.png -:alt: Search Session indicator displaying the current state of the search -:screenshot: -::: - - -## Requirements [_requirements] - -* To save a session, you must have permissions for **Discover** and **Dashboard**, and the [search sessions subfeature](../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md#kibana-feature-privileges). -* To view and restore a saved session, you must have access to **Stack Management**. - - -## Example: Save a search session [_example_save_a_search_session] - -You’re trying to understand a trend you see on a dashboard. You need to look at several years of data, currently in [cold storage](../../manage-data/lifecycle/data-tiers.md#cold-tier), but you don’t have time to wait. You want {{kib}} to continue working in the background, so tomorrow you can open your browser and pick up where you left off. - -1. Load your dashboard. - Your search session begins automatically. The icon after the dashboard title displays the current state of the search session. A clock icon indicates the search session is in progress. A checkmark indicates that the search session is complete. - -2. To continue a search in the background, click the clock icon, and then click **Save session**. - - ![Search Session indicator displaying the current state of the search](/explore-analyze/images/kibana-search-session-awhile.png "title =50%") - - Once you save a search session, you can start a new search, navigate to a different application, or close the browser. - -3. To view your saved search sessions, go to the **Search Sessions** management page using the navigation menu or the [global search field](../../explore-analyze/find-and-organize/find-apps-and-objects.md). For a saved or completed session, you can also open this view from the search sessions popup. - ![Search Sessions management view with actions for inspecting](/explore-analyze/images/kibana-search-sessions-menu.png "") - -4. Use the edit menu in **Search Sessions** to: - - * **Inspect** the queries and filters that makeup the session. - * **Edit the name** of a session. - * **Extend** the expiration of a completed session. - * **Delete** a session. - -5. To restore a search session, click its name in the **Search Sessions** view. - - You’re returned to the place from where you started the search session. The data is the same, but behaves differently: - - * Relative dates are converted to absolute dates. - * Panning and zooming is disabled for maps. - * Changing a filter, query, or drilldown starts a new search session, which can be slow. - - - -## Limitations [_limitations] - -Some visualization features do not fully support background search sessions. When you restore a dashboard, panels with unsupported features won’t load immediately, but instead send out additional data requests, which can take a while to complete. The **Your search session is still running** warning appears. You can either wait for these additional requests to complete or come back to the dashboard later when all data requests have finished. - -A panel on a dashboard can behave like this if one of the following features is used: - -**Lens** - -* A **top values** dimension with an enabled **Group other values as "Other"** setting. This is configurable in the **Advanced** section of the dimension. -* An **intervals** dimension. - -**Aggregation-based** visualizations - -* A **terms** aggregation with an enabled **Group other values in separate bucket** setting. -* A **histogram** aggregation. - -**Maps** - -* Layers using joins, blended layers, or tracks layers. diff --git a/explore-analyze/images/kibana-search-session-awhile.png b/explore-analyze/images/kibana-search-session-awhile.png deleted file mode 100644 index 88a6f34e10..0000000000 Binary files a/explore-analyze/images/kibana-search-session-awhile.png and /dev/null differ diff --git a/explore-analyze/images/kibana-search-session.png b/explore-analyze/images/kibana-search-session.png deleted file mode 100644 index ded51feb29..0000000000 Binary files a/explore-analyze/images/kibana-search-session.png and /dev/null differ diff --git a/explore-analyze/images/kibana-search-sessions-menu.png b/explore-analyze/images/kibana-search-sessions-menu.png deleted file mode 100644 index 5ce8c680e9..0000000000 Binary files a/explore-analyze/images/kibana-search-sessions-menu.png and /dev/null differ diff --git a/explore-analyze/toc.yml b/explore-analyze/toc.yml index 794b0b5dff..5d0fd66949 100644 --- a/explore-analyze/toc.yml +++ b/explore-analyze/toc.yml @@ -161,7 +161,7 @@ toc: - file: discover/save-open-search.md - file: discover/show-field-statistics.md - file: discover/run-pattern-analysis-discover.md - - file: discover/search-sessions.md + - file: discover/background-search.md - file: discover/try-esql.md - file: dashboards.md children: diff --git a/redirects.yml b/redirects.yml index 4877634c3a..eb3e257f40 100644 --- a/redirects.yml +++ b/redirects.yml @@ -516,7 +516,8 @@ redirects: # Related to https://github.com/elastic/docs-content/pull/3318 'solutions/security/manage-elastic-defend/identify-antivirus-software-on-hosts.md': 'solutions/security/manage-elastic-defend/automatic-troubleshooting.md' - +# Search sessions becoming background search + 'explore-analyze/discover/search-sessions.md': 'explore-analyze/discover/background-search.md' diff --git a/reference/glossary/index.md b/reference/glossary/index.md index ad5d1a99b6..f54651c2fa 100644 --- a/reference/glossary/index.md +++ b/reference/glossary/index.md @@ -74,6 +74,9 @@ $$$glossary-zone$$$ availability zone ## B [b-glos] +$$$glossary-background-search$$$ Background search +: A long-running query that is queued and that runs while you perform other tasks. The results of the background search are stored for a period of time, so you can access it once it has completed. Background searches are user specific. Before {{stack}} 9.2, background searches are called ["search sessions"](#glossary-search-session). + $$$glossary-basemap$$$ basemap : The background detail necessary to orient the location of a map. @@ -668,7 +671,7 @@ $$$glossary-scripted-field$$$ scripted field : A field that computes data on the fly from the data in {{es}} indices. Scripted field data is shown in Discover and used in visualizations. $$$glossary-search-session$$$ search session -: A group of one or more queries that are executed asynchronously. The results of the session are stored for a period of time, so you can recall the query. Search sessions are user specific. +: A group of one or more queries that are executed asynchronously. The results of the session are stored for a period of time, so you can recall the query. Search sessions are user specific. From {{stack}} 9.2, search sessions are called ["background searches"](#glossary-background-search). $$$glossary-search-template$$$ search template : A stored search you can run with different variables. See [Search templates](/solutions/search/search-templates.md).