View document data
When you submit a search query in Discover, the most recent documents that match the query are listed in the documents table. By default, the table includes columns for the time field and the document _source
, which shows all fields and values in the document.
Modify the document table
Use the following commands to tailor the documents table to suit your needs.
Add a field column | Hover over the list of Available fields and then click add next to each field you want to include as a column in the table. The first field you add replaces the |
Change sort order | By default, columns are sorted by the values in the field. If a time field is configured for the current index pattern, the documents are sorted in reverse chronological order. To change the sort order, hover over the column and click . The first click sorts by ascending order, the second click sorts by descending order, and the third click removes the field from the sorted fields. |
Move a field column | Hover over the column header and click the (<<) or (>>) icons. |
Remove a field column | Hover over the list of Specified fields and then click remove. Or, use the (x) control in the column header. |
Drill down into field-level details
To view the document data in either table or JSON format, click the expand icon (>). The expanded view provides these options for viewing your document:
- View the events that surround your document. For example, you might want to see the 10 documents that occurred immediately before and after your event.
- View the document data as a separate page. You can bookmark and share the link for direct access to a particular document.
Configure the number of documents to show
By default, the documents table includes the 500 most recent documents that match the query. To change this number, set the discover:sampleSize
property in Advanced Settings.