Bird
Raised Fist0
Elasticsearchquery~5 mins

Discover for data exploration in Elasticsearch

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction

Discover helps you look at your data quickly. It shows you raw data so you can understand what is inside your Elasticsearch index.

You want to see recent logs from your application to find errors.
You need to check if your data is coming into Elasticsearch correctly.
You want to explore what fields and values exist in your data.
You want to filter data to find specific records.
You want to get a quick overview of your data before making dashboards.
Syntax
Elasticsearch
GET /your-index-name/_search
{
  "query": {
    "match_all": {}
  },
  "size": 10
}

This is a basic Elasticsearch query to get 10 documents from an index.

Discover in Kibana uses similar queries behind the scenes to show data.

Examples
This query finds 5 documents where the message field contains the word 'error'.
Elasticsearch
GET /logs-2024/_search
{
  "query": {
    "match": {
      "message": "error"
    }
  },
  "size": 5
}
This query gets 10 documents with dates in January 2024.
Elasticsearch
GET /sales-data/_search
{
  "query": {
    "range": {
      "date": {
        "gte": "2024-01-01",
        "lte": "2024-01-31"
      }
    }
  },
  "size": 10
}
Sample Program

This example fetches 3 documents from 'my-index' to explore the data.

Elasticsearch
GET /my-index/_search
{
  "query": {
    "match_all": {}
  },
  "size": 3
}
OutputSuccess
Important Notes

Discover shows raw documents so you can see exactly what data is stored.

You can filter and search in Discover to narrow down data quickly.

Discover is a great first step before building visualizations or dashboards.

Summary

Discover lets you explore raw data in Elasticsearch indexes.

You use simple queries to find and filter data.

It helps you understand your data before deeper analysis.

Practice

(1/5)
1. What is the main purpose of the Discover feature in Elasticsearch?
easy
A. To explore and filter raw data in indexes
B. To create visual dashboards
C. To manage Elasticsearch cluster settings
D. To write complex aggregation queries

Solution

  1. Step 1: Understand Discover's role

    Discover is designed to let users explore raw data quickly and easily.

  2. Step 2: Compare with other features

    Dashboard creation and cluster management are separate features, not Discover's focus.

  3. Final Answer:

    To explore and filter raw data in indexes -> Option A

  4. Quick Check:

    Discover = Data exploration [OK]
Hint: Discover = explore raw data quickly [OK]
Common Mistakes:
  • Confusing Discover with Dashboard
  • Thinking Discover manages cluster settings
  • Assuming Discover creates complex queries
2. Which of the following is the correct syntax to filter data in Discover using a simple query?
easy
A. filter(status=200, extension=jpg)
B. WHERE status=200 AND extension=jpg
C. status:200 AND extension:jpg
D. SELECT * FROM index WHERE status=200

Solution

  1. Step 1: Identify Discover query syntax

    Discover uses Lucene query syntax like field:value and logical operators like AND.

  2. Step 2: Eliminate SQL and function syntax

    Options A, C, and D use SQL or function style, which is not valid in Discover queries.

  3. Final Answer:

    status:200 AND extension:jpg -> Option C

  4. Quick Check:

    Lucene syntax = status:200 AND extension:jpg [OK]
Hint: Use field:value with AND/OR in Discover queries [OK]
Common Mistakes:
  • Using SQL syntax instead of Lucene
  • Using function calls for filtering
  • Mixing query languages
3. Given the following Discover query: response:404 OR response:500, what data will be shown?
medium
A. All documents except those with response 404 or 500
B. Only documents with response code 404
C. Documents with response code 404 and 500 at the same time
D. Documents with response code 404 or 500

Solution

  1. Step 1: Understand OR operator in query

    The OR operator returns documents matching either condition, not both simultaneously.

  2. Step 2: Apply to response codes

    Documents with response 404 or response 500 will be included in results.

  3. Final Answer:

    Documents with response code 404 or 500 -> Option D

  4. Quick Check:

    OR means either condition matches [OK]
Hint: OR returns either condition matches [OK]
Common Mistakes:
  • Thinking OR means both conditions together
  • Confusing OR with AND
  • Assuming exclusion of matching documents
4. You wrote this Discover query: status:200 AND extension=jpg. Why does it cause an error?
medium
A. Because '=' is not valid; use ':' for field-value pairs
B. Because AND cannot be used between conditions
C. Because 'status' is not a valid field name
D. Because 'jpg' should be in quotes

Solution

  1. Step 1: Check field-value syntax

    Discover uses field:value syntax, not field=value.

  2. Step 2: Validate operators and values

    AND is valid, 'status' is a common field, and quotes are optional for simple values.

  3. Final Answer:

    Because '=' is not valid; use ':' for field-value pairs -> Option A

  4. Quick Check:

    Use ':' not '=' in queries [OK]
Hint: Use colon ':' for field-value, not equals '=' [OK]
Common Mistakes:
  • Using '=' instead of ':'
  • Misunderstanding AND operator usage
  • Adding unnecessary quotes
5. You want to explore documents where the field user exists and the bytes field is greater than 1000. Which Discover query achieves this?
hard
A. _exists_:user AND bytes >1000
B. _exists_:user AND bytes:{1000 TO *}
C. _exists_:user AND bytes:>=1000
D. user:* AND bytes:>1000

Solution

  1. Step 1: Check existence syntax

    Use _exists_:user to find documents where 'user' field exists.

  2. Step 2: Use range query for bytes > 1000

    Range syntax bytes:{1000 TO *} means bytes greater than 1000 (exclusive).

  3. Step 3: Verify other options

    _exists_:user AND bytes:>1000 and C have invalid range syntax; user:* AND bytes:>1000 uses wildcard incorrectly for existence.

  4. Final Answer:

    _exists_:user AND bytes:{1000 TO *} -> Option B

  5. Quick Check:

    Existence + range query = _exists_:user AND bytes:{1000 TO *} [OK]
Hint: Use _exists_ for field and range syntax for > value [OK]
Common Mistakes:
  • Using wildcard * for existence check
  • Incorrect range syntax for greater than
  • Confusing inclusive and exclusive ranges