Bird
Raised Fist0
Elasticsearchquery~10 mins

Discover for data exploration in Elasticsearch - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Concept Flow - Discover for data exploration
Open Discover
Select Index Pattern
Load Data Sample
Apply Filters and Queries
View and Analyze Results
Refine Search or Export Data
End
The flow shows how you open Discover, pick your data, filter and search, then analyze results step-by-step.
Execution Sample
Elasticsearch
GET /my-index/_search
{
  "query": {
    "match": { "status": "active" }
  }
}
This query searches the 'my-index' for documents where the 'status' field is 'active'.
Execution Table
StepActionQuery/FilterResult PreviewNotes
1Open DiscoverN/ADiscover UI loadsUser opens Discover in Kibana
2Select Index PatternIndex: my-indexSample data loadsData from 'my-index' is ready
3Apply Query{"match": {"status": "active"}}Filtered documents shownOnly documents with status 'active' appear
4Add FilterFilter: response_time > 100Further filtered resultsResults now only with response_time > 100
5View FieldsN/AFields and values displayedUser inspects fields in documents
6Export DataN/AData exported as CSVUser exports current view for offline use
7EndN/ASession endsUser finishes data exploration
💡 User finishes exploration or closes Discover
Variable Tracker
VariableStartAfter Step 3After Step 4Final
Selected IndexNonemy-indexmy-indexmy-index
QueryNone{"match": {"status": "active"}}{"match": {"status": "active"}}{"match": {"status": "active"}}
FiltersNoneNoneresponse_time > 100response_time > 100
Displayed DocumentsNoneDocs with status 'active'Docs with status 'active' and response_time > 100Same as after Step 4
Key Moments - 3 Insights
Why do I see fewer documents after applying the filter?
Because the filter narrows results to only those documents matching the filter condition, as shown in execution_table Step 4.
What happens if I change the index pattern?
The data sample reloads from the new index, resetting queries and filters, similar to execution_table Step 2.
Can I see all fields of a document at once?
Yes, Discover shows available fields for each document after loading data, as in Step 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what query is applied at Step 3?
ANo query applied
B{"range": {"response_time": {"gt": 100}}}
C{"match": {"status": "active"}}
D{"term": {"status": "inactive"}}
💡 Hint
Check the 'Query/Filter' column at Step 3 in the execution_table.
At which step does the filter 'response_time > 100' get applied?
AStep 4
BStep 2
CStep 3
DStep 5
💡 Hint
Look at the 'Action' and 'Query/Filter' columns in execution_table rows.
If the user changes the index pattern after Step 4, what happens to the filters?
AFilters remain the same
BFilters reset to none
CFilters double in number
DFilters become inactive but visible
💡 Hint
Refer to key_moments about changing index pattern and execution_table Step 2.
Concept Snapshot
Discover lets you explore data by:
- Selecting an index pattern
- Loading sample documents
- Applying queries and filters
- Viewing fields and values
- Exporting data
It helps find insights by filtering and searching interactively.
Full Transcript
Discover in Elasticsearch is a tool to explore your data visually. First, you open Discover and select an index pattern to load sample data. Then you can apply queries, like searching for documents where a field matches a value. You can add filters to narrow results further. Discover shows fields and values for each document so you can analyze them. Finally, you can export the data if needed. This step-by-step process helps you find and understand your data easily.

Practice

(1/5)
1. What is the main purpose of the Discover feature in Elasticsearch?
easy
A. To explore and filter raw data in indexes
B. To create visual dashboards
C. To manage Elasticsearch cluster settings
D. To write complex aggregation queries

Solution

  1. Step 1: Understand Discover's role

    Discover is designed to let users explore raw data quickly and easily.

  2. Step 2: Compare with other features

    Dashboard creation and cluster management are separate features, not Discover's focus.

  3. Final Answer:

    To explore and filter raw data in indexes -> Option A

  4. Quick Check:

    Discover = Data exploration [OK]
Hint: Discover = explore raw data quickly [OK]
Common Mistakes:
  • Confusing Discover with Dashboard
  • Thinking Discover manages cluster settings
  • Assuming Discover creates complex queries
2. Which of the following is the correct syntax to filter data in Discover using a simple query?
easy
A. filter(status=200, extension=jpg)
B. WHERE status=200 AND extension=jpg
C. status:200 AND extension:jpg
D. SELECT * FROM index WHERE status=200

Solution

  1. Step 1: Identify Discover query syntax

    Discover uses Lucene query syntax like field:value and logical operators like AND.

  2. Step 2: Eliminate SQL and function syntax

    Options A, C, and D use SQL or function style, which is not valid in Discover queries.

  3. Final Answer:

    status:200 AND extension:jpg -> Option C

  4. Quick Check:

    Lucene syntax = status:200 AND extension:jpg [OK]
Hint: Use field:value with AND/OR in Discover queries [OK]
Common Mistakes:
  • Using SQL syntax instead of Lucene
  • Using function calls for filtering
  • Mixing query languages
3. Given the following Discover query: response:404 OR response:500, what data will be shown?
medium
A. All documents except those with response 404 or 500
B. Only documents with response code 404
C. Documents with response code 404 and 500 at the same time
D. Documents with response code 404 or 500

Solution

  1. Step 1: Understand OR operator in query

    The OR operator returns documents matching either condition, not both simultaneously.

  2. Step 2: Apply to response codes

    Documents with response 404 or response 500 will be included in results.

  3. Final Answer:

    Documents with response code 404 or 500 -> Option D

  4. Quick Check:

    OR means either condition matches [OK]
Hint: OR returns either condition matches [OK]
Common Mistakes:
  • Thinking OR means both conditions together
  • Confusing OR with AND
  • Assuming exclusion of matching documents
4. You wrote this Discover query: status:200 AND extension=jpg. Why does it cause an error?
medium
A. Because '=' is not valid; use ':' for field-value pairs
B. Because AND cannot be used between conditions
C. Because 'status' is not a valid field name
D. Because 'jpg' should be in quotes

Solution

  1. Step 1: Check field-value syntax

    Discover uses field:value syntax, not field=value.

  2. Step 2: Validate operators and values

    AND is valid, 'status' is a common field, and quotes are optional for simple values.

  3. Final Answer:

    Because '=' is not valid; use ':' for field-value pairs -> Option A

  4. Quick Check:

    Use ':' not '=' in queries [OK]
Hint: Use colon ':' for field-value, not equals '=' [OK]
Common Mistakes:
  • Using '=' instead of ':'
  • Misunderstanding AND operator usage
  • Adding unnecessary quotes
5. You want to explore documents where the field user exists and the bytes field is greater than 1000. Which Discover query achieves this?
hard
A. _exists_:user AND bytes >1000
B. _exists_:user AND bytes:{1000 TO *}
C. _exists_:user AND bytes:>=1000
D. user:* AND bytes:>1000

Solution

  1. Step 1: Check existence syntax

    Use _exists_:user to find documents where 'user' field exists.

  2. Step 2: Use range query for bytes > 1000

    Range syntax bytes:{1000 TO *} means bytes greater than 1000 (exclusive).

  3. Step 3: Verify other options

    _exists_:user AND bytes:>1000 and C have invalid range syntax; user:* AND bytes:>1000 uses wildcard incorrectly for existence.

  4. Final Answer:

    _exists_:user AND bytes:{1000 TO *} -> Option B

  5. Quick Check:

    Existence + range query = _exists_:user AND bytes:{1000 TO *} [OK]
Hint: Use _exists_ for field and range syntax for > value [OK]
Common Mistakes:
  • Using wildcard * for existence check
  • Incorrect range syntax for greater than
  • Confusing inclusive and exclusive ranges