View a document in context

Once you’ve narrowed your search to a specific event, you might want to inspect the documents that occurred immediately before and after the event. With the Context view, you can do just that for index patterns that contain time-based events.

To open the Context view, click the expand icon (<) in the document table, and then click View surrounding documents.

The documents are sorted by the time field specified in the index pattern and displayed using the same set of columns as the Discover view from which the context was opened. The anchor document is highlighted in blue.

Context View

Filter the context

The filters you applied in Discover are carried over to the Context view. Pinned filters remain active, while normal filters are copied in a disabled state. You can re-enable these filters to refine your context view.

If the Context view contains a large number of documents not related to the event under investigation, you can use filters to restrict the documents to display.

Change the number of surrounding documents

By default, the five newest and oldest documents are listed. To increase the number of documents that surround the anchor document, click Load. Five documents are added with each click.

Configure the context view

To configure the Context view, use these settings in Advanced Settings.

context:defaultSize

The number of documents to display by default.

context:step

The default number of documents to load with each button click.

context:tieBreakerFields

The field to use for tiebreaking in case of equal time field values. The default is the _doc field.

You can enter a comma-separated list of field names, which is checked in sequence for suitability when a context is displayed. The first suitable field is used as the tiebreaking field. A field is suitable if the field exists and is sortable in the index pattern the context is based on.

Although not required, it is recommended to only use fields that have doc values enabled to achieve good performance and avoid unnecessary field data usage. Common examples for suitable fields include log line numbers, monotonically increasing counters and high-precision timestamps.

Most Popular