[DOCS] Updates index patterns docs #81864
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,100 +1,203 @@ | ||
| [[index-patterns]] | ||
| == Create an index pattern | ||
|
|
||
| {kib} requires an index pattern to access the {es} data that you want to explore. | ||
| An index pattern selects the data to use and allows you to define properties of the fields. | ||
|
|
||
| An index pattern can point to a specific index, for example, your log data from yesterday, | ||
| or all indices that contain your data. It can also point to a | ||
| {ref}/data-streams.html[data stream] or {ref}/indices-aliases.html[index alias]. | ||
|
|
||
| You’ll learn how to: | ||
|
|
||
| * Create an index pattern | ||
| * Explore and configure the data fields | ||
| * Set the default index pattern | ||
| * Delete an index pattern | ||
|
|
||
| [float] | ||
| [[index-patterns-read-only-access]] | ||
| === Before you begin | ||
|
|
||
| * To access *Index Patterns*, you must have the {kib} privilege | ||
| `Index Pattern Management`. To add the privilege, open the main menu, then click *Stack Management > Roles*. | ||
|
|
||
| * If a read-only indicator appears in {kib}, you have insufficient privileges | ||
| to create or save index patterns. The buttons to create new index patterns or | ||
| save existing index patterns are not visible. For more information, | ||
| refer to <<xpack-security-authorization,Granting access to {kib}>>. | ||
|
|
||
| [float] | ||
| [[settings-create-pattern]] | ||
| === Create an index pattern | ||
|
|
||
| If you collected data using one of the {kib} <<connect-to-elasticsearch,ingest options>>, uploaded a file, or added sample data, | ||
| you get an index pattern for free, and can start exploring your data. | ||
| If you loaded your own data, follow these steps to create an index pattern. | ||
|
|
||
| . Open the main menu, then click to *Stack Management > Index Patterns*. | ||
|
|
||
| . Click *Create index pattern*. | ||
| + | ||
| [role="screenshot"] | ||
| image:management/index-patterns/images/create-index-pattern.png["Create index pattern"] | ||
|
|
||
| . Start typing in the *Index pattern* field, and {kib} looks for the names of | ||
| {es} indices that match your input. | ||
| ** Use a wildcard (*) to match multiple indices. | ||
| For example, suppose your system creates indices for Apache data | ||
| using the naming scheme `filebeat-apache-a`, `filebeat-apache-b`, and so on. | ||
| An index pattern named `filebeat-a` matches a single source, and `filebeat-*` matches multiple data sources. | ||
| Using a wildcard is the most popular approach. | ||
|
|
||
| ** Select multiple indices by entering multiple strings, | ||
| separated with a comma. Make sure there is no space after the comma. | ||
| For example, `filebeat-a,filebeat-b` matches two indices, but not other indices | ||
| you might have afterwards (filebeat-c). | ||
|
|
||
| ** Use a minus sign (-) to exclude an index, for example, test*,-test3. | ||
|
|
||
| . Click *Next step*. | ||
|
|
||
| . If {kib} detects an index with a timestamp, expand the *Time field* menu, | ||
| and then specify the default field for filtering your data by time. | ||
| + | ||
| If your index doesn’t have time-based data, or if you don’t want to select | ||
| the default timestamp field, choose *I don’t want to use the Time Filter*. | ||
| + | ||
| NOTE: If you don’t set a default time field, you will not be able to use | ||
| global time filters on your dashboards. This is useful if | ||
| you have multiple time fields and want to create dashboards that combine visualizations | ||
| based on different timestamps. | ||
|
|
||
| . Click *Create index pattern*. | ||
| + | ||
| {kib} is now configured to use your {es} data. | ||
|
|
||
| . Select this index pattern when you search and visualize your data. | ||
|
|
||
| [float] | ||
| [[rollup-index-pattern]] | ||
| ==== Create an index pattern for rolled up data | ||
|
|
||
| An index pattern can match one rollup index. For a combination rollup | ||
| index pattern with both raw and rolled up data, use the standard notation: | ||
|
|
||
| ```ts | ||
| rollup_logstash,kibana_sample_data_logs | ||
| ``` | ||
| For an example, refer to <<rollup-data-tutorial,Create and visualize rolled up data>>. | ||
|
|
||
| [float] | ||
| [[management-cross-cluster-search]] | ||
| ==== Create an index pattern that searches across clusters | ||
|
|
||
| If your {es} clusters are configured for {ref}/modules-cross-cluster-search.html[{ccs}], | ||
| you can create an index pattern to search across the clusters of your choosing. Use the | ||
| same syntax that you'd use in a raw {ccs} request in {es}: | ||
|
|
||
| ```ts | ||
| <cluster-names>:<pattern> | ||
| ``` | ||
|
|
||
| For example, to query {ls} indices across two {es} clusters | ||
| that you set up for {ccs}, named `cluster_one` and `cluster_two`, | ||
| use this for your index pattern: | ||
|
|
||
| ```ts | ||
| cluster_one:logstash-*,cluster_two:logstash-* | ||
| ``` | ||
|
|
||
| You can use wildcards in your cluster names | ||
| to match any number of clusters. For example, to search {ls} indices across | ||
| clusters named `cluster_foo`, `cluster_bar`, and so on, create this index pattern: | ||
|
|
||
| ```ts | ||
| cluster_*:logstash-* | ||
| ``` | ||
|
|
||
| To query across all {es} clusters that have been configured for {ccs}, | ||
| use a standalone wildcard for your cluster name in your index | ||
| pattern: | ||
|
|
||
| ```ts | ||
| *:logstash-* | ||
| ``` | ||
|
|
||
| Once an index pattern is configured using the {ccs} syntax, all searches and | ||
| aggregations using that index pattern in {kib} take advantage of {ccs}. | ||
|
|
||
|
|
||
| [float] | ||
| [[reload-fields]] | ||
| === Explore and configure the data fields | ||
|
|
||
| To explore and configure the data fields in your index pattern, open the main menu, then click | ||
| *Stack Management > Index Patterns*. Each field has a {ref}/mapping.html[mapping], | ||
| which indicates the type of data the field contains in {es}, | ||
| such as strings or boolean values. The field mapping also determines | ||
| how you can use the field, such as whether it can be searched or aggregated. | ||
|
|
||
| [role="screenshot"] | ||
| image:management/index-patterns/images/new-index-pattern.png["Create index pattern"] | ||
|
|
||
| [float] | ||
| ==== Format the display of common field types | ||
|
|
||
| Whenever possible, {kib} uses the same field type for display as | ||
| {es}. However, some field types that {es} supports are not available | ||
| in {kib}. Using field formatters, you can manually change the field type in {kib} to display your data the way you prefer | ||
| to see it, regardless of how it is stored in {es}. | ||
|
|
||
| For example, if you store | ||
| date values in {es}, you can use a {kib} field formatter to change the display to mm/dd/yyyy format. | ||
| {kib} has field formatters for | ||
| <<field-formatters-string, strings>>, | ||
| <<field-formatters-date, dates>>, | ||
| <<field-formatters-geopoint, geopoints>>, | ||
| and <<field-formatters-numeric, numbers>>. | ||
|
|
||
| A popularity counter keeps track of the fields you use most often. | ||
| The top five most popular fields and their values are displayed in <<discover,*Discover*>>. | ||
|
|
||
| To edit the field format and popularity counter, click the edit icon | ||
| (image:management/index-patterns/images/edit_icon.png[]) in the index pattern detail view. | ||
|
|
||
| [role="screenshot"] | ||
| image:management/index-patterns/images/edit-field-format.png["Edit field format"] | ||
|
|
||
| [float] | ||
| ==== Refresh the data fields | ||
|
There was a problem hiding this comment. This section is only needed for 7.10 and lower. |
||
|
|
||
| To pick up newly-added fields, | ||
| refresh (image:management/index-patterns/images/refresh-icon.png[Refresh icon]) the index fields list. | ||
| This action also resets the {kib} popularity counters for the fields. | ||
|
|
||
| [float] | ||
| [[default-index-pattern]] | ||
| === Set the default index pattern | ||
|
|
||
| The first index pattern you create is automatically designated as the default pattern, | ||
| but you can set any index pattern as the default. The default index pattern is automatically selected when you first open <<discover,*Discover*>> or create a visualization from scratch. | ||
|
|
||
| . In *Index patterns*, click the index pattern name. | ||
| . Click the star icon (image:management/index-patterns/images/star.png[Star icon]). | ||
gchaps marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
| [float] | ||
| [[delete-index-pattern]] | ||
| === Delete an index pattern | ||
|
|
||
| This action removes the pattern from the list of saved objects in {kib}. | ||
| You will not be able to recover field formatters, scripted fields, source filters, | ||
| and field popularity data associated with the index pattern. Deleting an | ||
| index pattern does not remove any indices or data documents from {es}. | ||
|
|
||
| WARNING: Deleting an index pattern breaks all visualizations, saved searches, and other saved objects that reference the pattern. | ||
|
|
||
| . In *Index patterns*, click the index pattern name. | ||
| . Click the delete icon (image:management/index-patterns/images/delete.png[Delete icon]). | ||
|
|
||
| [float] | ||
| === What’s next | ||
|
|
||
| * Learn about <<scripted-fields,scripted fields>> and how to create data on the fly. | ||
|
There was a problem hiding this comment. Are you adding more items to this list? If not, it should stand on it's own instead of an unordered list. |
||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At this point, do users know what fields are?