Once the "New" option has been selected, users must define how and what they wish to include within their search.

Search Criteria: Time Picker

Users may wish to visualize their search results. This can easily done by clicking on the Time Picker option on the main menu. These primarily use the timestamp value as the differentiator. There are three types of time ranges users are able to select from:



  • Quick: the Quick time range offers a predefined list of time ranges anchored to the time they were selected.
  • Relative: the Relative time range offers the possibility of defining the time span.
  • Absolute: the Absolute time range requires one to set the time span in exact terms.

The Time Picker is displayed above the search result's list and serves as a histogram of the valid search results.


Search Criteria: Available Fields

Once the Time Picker has been selected. Users are able to choose from a range of available fields. These are all of the fields have been defined as searchable in the index pattern in the Management tab. These additional filters can be places before or after a search query is performed.



Each field possesses an icon indicating how values are represented for each field.



Selecting a field will automatically expand it on the bar. Users then have the possibility of viewing the top 5 recurring values for the selected field as well as the latest 500 matches recorded.



Users can add the entire field to the filter selection by clicking on the "add" button. Clicking on the "Positive Lens" icon will add that field and value combination as an inclusive filter (required criteria for a match to be included in the results). Clicking on the "Negative Lens" icon will add it as an exclusive filter (required criteria for a match to be excluded from the results).


Search Criteria: Selected Fields

Once fields have been added to the filters, these will be visible as "Selected Fields". These filters appear in the search results as columns.



Selected Fields" alone are not active filters when performing a search query. These must be made active by using either the "Positive" or "Negative" icons next to specific values.