{"id":10967,"date":"2024-05-17T20:51:26","date_gmt":"2024-05-18T01:51:26","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=10967"},"modified":"2024-05-21T20:56:23","modified_gmt":"2024-05-22T01:56:23","slug":"opensearch-users-guide","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=10967","title":{"rendered":"OpenSearch User&#8217;s Guide"},"content":{"rendered":"<p>Below is the user&#8217;s guide I put together for individuals who use the ElasticSearch system I support at work to help them transition to the OpenSearch platform we&#8217;ll be moving to later this year. <\/p>\n<div class=\"toc-macro client-side-toc-macro  conf-macro output-block hidden-outline\" data-headerelements=\"H1,H2,H3,H4,H5,H6,H7\" data-hasbody=\"false\" data-macro-name=\"toc\">\n<ul>\n<li><span class=\"toc-item-body\" data-outline=\"1\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Overview\">Overview<\/a><\/span>\n<ul>\n<li><span class=\"toc-item-body\" data-outline=\"1.1\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-WhatisElasticSearch?\">What is ElasticSearch?<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"1.2\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-WhatisOpenSearch?\">What is OpenSearch?<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"1.3\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-DifferencesBetweenOpenSearchandElasticSearch\">Differences Between OpenSearch and ElasticSearch<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"toc-item-body\" data-outline=\"2\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-RequestingAccess\">Requesting Access<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"3\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-LoggingIn\">Logging In<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"4\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SwitchingTenants\">Switching Tenants<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Searching\">Searching<\/a><\/span>\n<ul>\n<li><span class=\"toc-item-body\" data-outline=\"5.1\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Searching:DiscoverOverview\">Searching: Discover Overview<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SearchTips\">Search Tips<\/a><\/span>\n<ul>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.1\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SelectingtheTimeRange\">Selecting the Time Range<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.2\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-ViewingData\">Viewing Data<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.3\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SelectingDisplayedField\">Selecting Displayed Field<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.4\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-BasicSearch\">Basic Search<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.5\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-WildcardSearch\">Wildcard Search<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.6\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SubstringSearch\">Substring Search<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.7\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SearchforaStringThatContainsWordBoundaries\">Search for a String That Contains Word Boundaries<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.8\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Searchingfortextthatcontainscolons(:)\">Searching for text that contains colons (:)<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.9\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-ExcludingDataFromaSearch\">Excluding Data From a Search<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.2.10\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Inspect\">Inspect<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.3\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-NewDiscover\">New Discover<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.4\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-SavingSearches\">Saving Searches<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.5\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-ExportingReportData\">Exporting Report Data<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"5.6\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-AccessingSavedQueries\">Accessing Saved Queries<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-CreatingVisualizations\">Creating Visualizations<\/a><\/span>\n<ul>\n<li><span class=\"toc-item-body\" data-outline=\"6.1\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-General\">General<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.2\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-TSVB(TimeSeriesVisualizationBuilder)\">TSVB (Time Series Visualization Builder)<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.3\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-MapVisualizations\">Map Visualizations<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.4\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-TimeLine\">TimeLine<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.5\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Vega\">Vega<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.6\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-LearningVega\">Learning Vega<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.7\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-DebuggingVegaGraphs\">Debugging Vega Graphs<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.8\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-VegaSample\u2013HorizontalLinewithBaseline\">Vega Sample \u2013 Horizontal Line with Baseline<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"6.9\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-OtherTypes:\">Other Types:<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<li><span class=\"toc-item-body\" data-outline=\"7\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-CreatingaDashboard\">Creating a Dashboard<\/a><\/span>\n<ul>\n<li><span class=\"toc-item-body\" data-outline=\"7.1\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-General.1\">General<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"7.2\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-Dashboard\">Dashboard<\/a><\/span><\/li>\n<li><span class=\"toc-item-body\" data-outline=\"7.3\"><a class=\"toc-link\" href=\"https:\/\/wiki.windstream.com\/display\/NBDAML\/OpenSearch+User+Guide#OpenSearchUserGuide-ObservabilityDashboard\">Observability Dashboard<\/a><\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/div>\n<p>&nbsp;<\/p>\n<h1 id=\"OpenSearchUserGuide-Overview\">Overview<\/h1>\n<p>The SYSLOG platform is a set of applications commonly known as ELK (ElasticSearch, Logstash, and Kibana). We will be replacing ElasticSearch with OpenSearch in the upcoming months. Currently, the development platform has been upgraded and is available for anyone who wants to check it out. The new website is called &#8220;OpenSearch Dashboards&#8221;. While maintaining a similar &#8220;look and feel&#8221; to the current Kibana platform, moving to OpenSearch provides us with new features \u2013 <a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/ml-commons-plugin\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">machine learning for data analytics<\/a>, <a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/2.13\/im-plugin\/index-rollups\/index\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">rollup indices<\/a>.<\/p>\n<h2 id=\"OpenSearchUserGuide-WhatisElasticSearch?\">What is ElasticSearch?<\/h2>\n<p><a class=\"external-link\" href=\"https:\/\/www.elastic.co\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">ElasticSearch<\/a>, based on the <a class=\"external-link\" href=\"https:\/\/github.com\/apache\/lucene\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Lucene search software<\/a>, is a distributed search and analytics application which ingests, stores, and indexes data. Kibana is a web-based front-end providing user access to data stored within ElasticSearch.<\/p>\n<h2 id=\"OpenSearchUserGuide-WhatisOpenSearch?\">What is OpenSearch?<\/h2>\n<p>In short, it&#8217;s the same but different. OpenSearch is also based on the Lucene search software, is designed to be a distributed search and analytics application, and ingests\/stores\/indexes data. If it&#8217;s essentially the same thing, <em>why<\/em> does OpenSearch exist? ElasticSearch was initially licensed under the open-source Apache 2.0 license \u2013 a rather permissive free software license. <a class=\"external-link\" href=\"https:\/\/www.elastic.co\/blog\/why-license-change-aws\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">ElasticCo did not agree with how their software was being used by Amazon<\/a>; and, in 2021, the <a class=\"external-link\" href=\"https:\/\/www.elastic.co\/blog\/licensing-change\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">license for ElasticSearch was changed to Server Side Public License<\/a> (SSPL). One of the requirements of SSPL is that anyone who implements the software and sells their implementation as a service needs to publish their source code under the SSPL license \u2013 not just changes made to the original program but <em>all<\/em> other software a user would require to run the software-as-a-service environment for themselves. Amazon used ElasticSearch for their Amazon Elasticsearch Service offering, but was unable\/unwilling to continue doing so under the new license terms. In April of 2021, <a class=\"external-link\" href=\"https:\/\/aws.amazon.com\/blogs\/opensource\/introducing-opensearch\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Amazon Web Services created a fork of ElasticSearch as the basis for OpenSearch<\/a>.<\/p>\n<h2 id=\"OpenSearchUserGuide-DifferencesBetweenOpenSearchandElasticSearch\">Differences Between OpenSearch and ElasticSearch<\/h2>\n<p>After the OpenSearch fork was created, the product roadmap for ElasticSearch was driven by ElasticCo and the <a class=\"external-link\" href=\"https:\/\/github.com\/orgs\/opensearch-project\/projects\/1\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">roadmap for OpenSearch<\/a> was community driven (with significant oversight and input from Amazon) \u2013 this means the products are not identical although they provide the same core functionality. Elastic publishes a list of <a class=\"external-link\" href=\"https:\/\/www.elastic.co\/what-is\/opensearch#what-are-some-elasticsearch-and-kibana-features-that-are-not-available-in-the-opensearch-project\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">features unique to ElasticSearch<\/a>, and the underlying machine learning algorithms are different. However, the important components of the &#8220;unique&#8221; feature list have been implemented in OpenSearch over time.<\/p>\n<h1 id=\"OpenSearchUserGuide-RequestingAccess\">Requesting Access<\/h1>\n<p>Access to the OpenSearch environment can be requested via a Microsoft Forms form.<\/p>\n<p>Managers can request access for their direct reports at <a class=\"external-link\" href=\"https:\/\/forms.microsoft.com\/Pages\/ResponsePage.aspx?id=wbRnJe2w9UCu41jXxfPisjf18JL-t61BkoGkoNxr24lUN1laRDhaU0lRMzRHVzNZRkdCSTlXQUFNNSQlQCN0PWcu\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/forms.microsoft.com\/Pages\/ResponsePage.aspx?id=wbRnJe2w9UCu41jXxfPisjf18JL-t61BkoGkoNxr24lUN1laRDhaU0lRMzRHVzNZRkdCSTlXQUFNNSQlQCN0PWcu<\/a><\/p>\n<p>Individual can request access, to be approved by their manager, at <a class=\"external-link\" href=\"https:\/\/forms.microsoft.com\/Pages\/ResponsePage.aspx?id=wbRnJe2w9UCu41jXxfPisjf18JL-t61BkoGkoNxr24lUMk0zRVJIQURTTFc0RkpKOTdINkREM0s4MiQlQCN0PWcu\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/forms.microsoft.com\/Pages\/ResponsePage.aspx?id=wbRnJe2w9UCu41jXxfPisjf18JL-t61BkoGkoNxr24lUMk0zRVJIQURTTFc0RkpKOTdINkREM0s4MiQlQCN0PWcu<\/a><\/p>\n<h1 id=\"OpenSearchUserGuide-LoggingIn\">Logging In<\/h1>\n<p>You will be able to log into the OpenSearch Dashboards site using the same <a class=\"external-link\" href=\"https:\/\/syslogging.vip.windstream.net:5601\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/syslogging.vip.windstream.net:5601\/<\/a> URL. For now, though, the DEV OpenSearch installation is available at <a class=\"external-link\" href=\"https:\/\/ltrkarkvm1577.mgmt.windstream.net:5601\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/ltrkarkvm1577.mgmt.windstream.net:5601<\/a> \u2013 log in through PingID<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-4_13-35-23.png?version=1&amp;modificationDate=1712252124000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-35-23.png?version=1&amp;modificationDate=1712252124000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697551\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-35-23.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>And you will be at the OpenSearch Dashboards home page<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-36-4.png?version=1&amp;modificationDate=1712252164000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-36-4.png?version=1&amp;modificationDate=1712252164000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697552\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-36-4.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>To navigate around the site, click on the hamburger button in the upper left-hand corner of the page<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-36-39.png?version=1&amp;modificationDate=1712252199000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-36-39.png?version=1&amp;modificationDate=1712252199000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697553\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-36-39.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h1 id=\"OpenSearchUserGuide-SwitchingTenants\">Switching Tenants<\/h1>\n<p>Data from different sources are sorted into &#8220;tenants&#8221; \u2013 you may only have access to a single tenant. In the upper right-hand corner of the page, there will be a circle with a letter \u2013 click that circle. The current tenant will be displayed under your username (the tenant shown here is &#8216;admin_tenant&#8217;). On the same menu, there is an option to &#8220;Switch tenants&#8221;<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-4_13-40-53.png?version=1&amp;modificationDate=1712252454000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-40-53.png?version=1&amp;modificationDate=1712252454000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697558\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-40-53.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Clicking &#8220;Switch tenants&#8221; will bring up a new pane \u2013 you can chose the tenant you want from the drop-down. Click &#8220;Confirm&#8221; to switch to the selected tenant.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-42-7.png?version=1&amp;modificationDate=1712252527000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-42-7.png?version=1&amp;modificationDate=1712252527000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697559\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-42-7.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h1 id=\"OpenSearchUserGuide-Searching\">Searching<\/h1>\n<h2 id=\"OpenSearchUserGuide-Searching:DiscoverOverview\">Searching: Discover Overview<\/h2>\n<p>To perform ad hoc queries against stored data, use the hamburger button to expand the left-hand navigation menu and select &#8220;Discover&#8221;.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-5_10-37-50.png?version=1&amp;modificationDate=1712327871000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-37-50.png?version=1&amp;modificationDate=1712327871000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697843\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-37-50.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>&#8220;Discover&#8221; lets you perform ad hoc queries against the stored data using the same query language as was used in ElasticSearch<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-37-57.png?version=1&amp;modificationDate=1712252278000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-37-57.png?version=1&amp;modificationDate=1712252278000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697555\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-37-57.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>You will notice that &#8220;documents&#8221; stored in OpenSearch have key:value pairs (field names and data, categories and info, etc) \u2013 in this example, &#8220;fields&#8221; such as &#8220;log.offset&#8221;, &#8220;agent.hostname&#8221;, &#8220;@timestamp&#8221;, &#8220;source&#8221;, &#8220;tags&#8221;, &#8220;hostname&#8221;, &#8220;input.type&#8221;, &#8220;index&#8221;, &#8220;Sourcetype&#8221;, &#8220;host.hostname&#8221;, &#8220;host.architecture&#8221;, etc exist. Each field has a value &#8212; &#8220;@timestamp&#8221; is August 17, 2022 at 16:21:20.518\u00a0\u2013 and you can use the search to find documents matching your criteria.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-8-17_16-21-48.png?version=1&amp;modificationDate=1712252955000&amp;api=v2\" height=\"163\" data-image-src=\"\/download\/attachments\/473697523\/image2022-8-17_16-21-48.png?version=1&amp;modificationDate=1712252955000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697566\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-8-17_16-21-48.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-SearchTips\">Search Tips<\/h2>\n<h3 id=\"OpenSearchUserGuide-SelectingtheTimeRange\">Selecting the Time Range<\/h3>\n<p>When you search stored data, the default is to search the last 15 minutes of data. To change this time range, click on the calendar icon next to the &#8220;Last 15 minutes&#8221; text and select the time range you want to display<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_10-39-45.png?version=1&amp;modificationDate=1712327986000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-39-45.png?version=1&amp;modificationDate=1712327986000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697845\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-39-45.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>To search for a specific time range,click on the &#8220;Show dates&#8221; text<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_10-42-39.png?version=1&amp;modificationDate=1712328159000&amp;api=v2\" height=\"127\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-42-39.png?version=1&amp;modificationDate=1712328159000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697846\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-42-39.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>There will now be two fields for the start and end range of the time span. You can click on either the start or end time to set those values. Clicking on one, you will see three options\u00a0\u2013 &#8220;Now&#8221; means the range start\/end will be set to whatever the current date\/time is when the search is performed or refreshed. &#8220;Relative&#8221; allows you to specify an interval (I know this happened in the last three hours, so I can search from 3 hours ago to now).<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_10-45-22.png?version=1&amp;modificationDate=1712328323000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-45-22.png?version=1&amp;modificationDate=1712328323000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697852\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-45-22.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Absolute allows you to chose a date and time<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-5_10-48-4.png?version=1&amp;modificationDate=1712328485000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-48-4.png?version=1&amp;modificationDate=1712328485000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697858\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-48-4.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-ViewingData\">Viewing Data<\/h3>\n<p>When viewing log data, there are several parts of the screen. The top right quadrant has a histogram showing how many matching documents have been found over the time interval.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_10-54-19.png?version=1&amp;modificationDate=1712328860000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-54-19.png?version=1&amp;modificationDate=1712328860000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697863\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-54-19.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Hovering your mouse over a column will show you the exact count and time interval \u2013 in this example, each column represents a 10 minute period, and 2,788 documents matched the search<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-5_10-55-41.png?version=1&amp;modificationDate=1712328941000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-55-41.png?version=1&amp;modificationDate=1712328941000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697864\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-55-41.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Below the histogram, you will see the records \u2013 the default display has the document timestamp and the entire message (Source). To view a single record, click the magnifying glass icon next to the record.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-5_10-57-43.png?version=1&amp;modificationDate=1712329063000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-57-43.png?version=1&amp;modificationDate=1712329063000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697865\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-57-43.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>A new pane will appear on the right-hand side with the document details.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_10-58-37.png?version=1&amp;modificationDate=1712329117000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-58-37.png?version=1&amp;modificationDate=1712329117000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697866\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-58-37.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Clicking the &#8220;+&#8221; before a field value will filter the records to <em>just<\/em> those where the field has the value displayed<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_11-8-38.png?version=1&amp;modificationDate=1712329719000&amp;api=v2\" height=\"240\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_11-8-38.png?version=1&amp;modificationDate=1712329719000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697874\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_11-8-38.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>In this example, we now have all records where &#8220;Action&#8221; is &#8220;Login&#8221;<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_11-11-12.png?version=1&amp;modificationDate=1712329873000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_11-11-12.png?version=1&amp;modificationDate=1712329873000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697877\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_11-11-12.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>And finally, the left-hand column displays the fields found within the documents. Clicking the magnifying glass next to a field will display the top 5 frequently occurring values for that field \u2013 7.7% of the records have &#8220;TELNET&#8221; as the port value in this example.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_11-0-55.png?version=1&amp;modificationDate=1712329255000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_11-0-55.png?version=1&amp;modificationDate=1712329255000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697867\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_11-0-55.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Clicking on the + next to the TELNET value will filter the searched records to just those where Port is TELNET \u2013 clicking the minus would filter records to everything where Port is <em>not<\/em> TELNET<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_11-2-13.png?version=1&amp;modificationDate=1712329333000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_11-2-13.png?version=1&amp;modificationDate=1712329333000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697870\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_11-2-13.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-SelectingDisplayedField\">Selecting Displayed Field<\/h3>\n<p>When viewing the field list, you can click the plus icon next to a field to change the values displayed in the table data.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-5_10-51-55.png?version=1&amp;modificationDate=1712328715000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-51-55.png?version=1&amp;modificationDate=1712328715000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697861\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-51-55.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>The fields displayed in the table will be listed in &#8220;Selected Fields&#8221; at the top of the fields list<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-5_10-51-35.png?version=1&amp;modificationDate=1712328695000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_10-51-35.png?version=1&amp;modificationDate=1712328695000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697860\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_10-51-35.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Clicking the red X next to a selected field will remove it from the data table.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-5_11-6-3.png?version=1&amp;modificationDate=1712329563000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-5_11-6-3.png?version=1&amp;modificationDate=1712329563000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697871\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-5_11-6-3.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-BasicSearch\">Basic Search<\/h3>\n<p>To search for a full string, indicate the field name that you want to search followed by a colon. Then enter what you want to find. As an example, finding records from the BNG named bng04.lncl01-ne.us.windstream.net means entering<\/p>\n<pre>hostname: bng04.lncl01-ne.us.windstream.net<\/pre>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-8-17_16-19-10.png?version=1&amp;modificationDate=1712252955000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2022-8-17_16-19-10.png?version=1&amp;modificationDate=1712252955000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697567\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-8-17_16-19-10.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-WildcardSearch\">Wildcard Search<\/h3>\n<p>You can use ? to match any single character \u2013 this is useful when you are searching for a number of hosts simultaneously (dns??.example.com will match dns01.example.com though dns99.example.com).<\/p>\n<p>You can use * to match zero or more characters \u2013 this means dns*.example.com would match dns.example.com, dns1.example.com, and dns1234568793.example.com<\/p>\n<h3 id=\"OpenSearchUserGuide-SubstringSearch\">Substring Search<\/h3>\n<p>To search for a substring, use * around your search string \u2013 looking for documents from any of the devices with inmn01-sc in their name, search for:<\/p>\n<pre>\"source\": *inmn01-sc.us*\r\n\r\n<\/pre>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-9-30_14-7-16.png?version=1&amp;modificationDate=1712252955000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2022-9-30_14-7-16.png?version=1&amp;modificationDate=1712252955000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697568\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-9-30_14-7-16.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-SearchforaStringThatContainsWordBoundaries\">Search for a String That Contains Word Boundaries<\/h3>\n<p>When your search string contains something the tokenizer considers a word boundary (the &#8220;.&#8221; characters in hostnames, for example), you may find the results contain more than you want. Basically, searching for <em>foo.bar<\/em> will return any document matching <em>foo<\/em> and any document matching <em>bar<\/em><\/p>\n<p>You can add * as a wildcard around your substring \u2013 to find any of the <a class=\"external-link\" href=\"http:\/\/lncl01-ne.us\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">lncl01-ne.us<\/a> devices, search for<\/p>\n<pre>hostname: *lncl01-ne.us*<\/pre>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-8-17_16-28-52.png?version=1&amp;modificationDate=1712252956000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2022-8-17_16-28-52.png?version=1&amp;modificationDate=1712252956000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697569\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-8-17_16-28-52.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-Searchingfortextthatcontainscolons(:)\">Searching for text that contains colons (:)<\/h3>\n<p>If you are searching for a string that contains colons (for example a MAC address), you need to add quotes around the string<\/p>\n<pre>message: \"94:1c:56:1c:5b:11\" and hostname: *lncl01-ne.us*<\/pre>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-8-17_16-32-10.png?version=1&amp;modificationDate=1712252956000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2022-8-17_16-32-10.png?version=1&amp;modificationDate=1712252956000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697570\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-8-17_16-32-10.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-ExcludingDataFromaSearch\">Excluding Data From a Search<\/h3>\n<p>If your query is returning too many records and there are some that aren&#8217;t relevant (in this case, we&#8217;re getting a lot of log data and don&#8217;t really care about the &#8220;stuff&#8221; from \/var\/log\/messages which is basically OS related logs). To exclude data, add &#8220;not&#8221; to your query. As an example:<\/p>\n<pre>hostname: *lncl01-ne.us* and not source:\"\/var\/log\/messages\"<\/pre>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-8-17_16-37-34.png?version=1&amp;modificationDate=1712252956000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2022-8-17_16-37-34.png?version=1&amp;modificationDate=1712252956000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697571\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-8-17_16-37-34.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h3 id=\"OpenSearchUserGuide-Inspect\">Inspect<\/h3>\n<p>Inspect will show you information about the data presented in the search \u2013<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-48-47.png?version=1&amp;modificationDate=1712252927000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-48-47.png?version=1&amp;modificationDate=1712252927000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697565\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-48-47.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Clicking on &#8216;Request&#8221; will show you the API search request that has been made \u2013 this is useful for people building programmatic access to data. You can copy\/paste the JSON text and submit it to the <a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/api-reference\/search\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">OpenSearch search API<\/a>.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-49-48.png?version=1&amp;modificationDate=1712252988000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-49-48.png?version=1&amp;modificationDate=1712252988000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697572\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-49-48.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-NewDiscover\">New Discover<\/h2>\n<p>In addition to the search that matches Kibana, OpenSearch also includes a new search interface. Click &#8220;Try new Discover&#8221; to switch (you can always click &#8220;Use legacy Discover&#8221; to switch back!)<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-47-26.png?version=1&amp;modificationDate=1712252846000&amp;api=v2\" height=\"193\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-47-26.png?version=1&amp;modificationDate=1712252846000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697561\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-47-26.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>The query language and basic functionality is the same, but information is presented in a different format.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-47-52.png?version=1&amp;modificationDate=1712252872000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-47-52.png?version=1&amp;modificationDate=1712252872000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697562\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-47-52.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-SavingSearches\">Saving Searches<\/h2>\n<p>Clicking &#8220;Save&#8221; will bring up a new pane that allows you to save a query for future use.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-51-46.png?version=1&amp;modificationDate=1712253107000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-51-46.png?version=1&amp;modificationDate=1712253107000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697590\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-51-46.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-ExportingReportData\">Exporting Report Data<\/h2>\n<p>Saving a query allows you to click on &#8220;Reporting&#8221; to export data<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-53-18.png?version=1&amp;modificationDate=1712253198000&amp;api=v2\" height=\"229\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-53-18.png?version=1&amp;modificationDate=1712253198000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697592\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-53-18.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>This will bring up a menu that allows you to generate a CSV file with the matching records.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-4_13-53-59.png?version=1&amp;modificationDate=1712253240000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-53-59.png?version=1&amp;modificationDate=1712253240000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697594\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-53-59.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-AccessingSavedQueries\">Accessing Saved Queries<\/h2>\n<p>To access a saved query, select &#8220;Open&#8221;<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-56-10.png?version=1&amp;modificationDate=1712253370000&amp;api=v2\" height=\"195\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-56-10.png?version=1&amp;modificationDate=1712253370000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697600\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-56-10.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>On the new menu, select the saved query you wish to view<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_13-56-43.png?version=1&amp;modificationDate=1712253403000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_13-56-43.png?version=1&amp;modificationDate=1712253403000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697602\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_13-56-43.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h1 id=\"OpenSearchUserGuide-CreatingVisualizations\">Creating Visualizations<\/h1>\n<h2 id=\"OpenSearchUserGuide-General\">General<\/h2>\n<p>To create a new visualization, use the hamburger button to expand the left-hand navigation menu and click \u201cVisualize&#8221;. You will be able to view any existing visualizations.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-4_14-6-44.png?version=1&amp;modificationDate=1712254005000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-6-44.png?version=1&amp;modificationDate=1712254005000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697616\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-6-44.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Click &#8220;Create visualization&#8221; to create a new visualization.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-7-38.png?version=1&amp;modificationDate=1712254058000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-7-38.png?version=1&amp;modificationDate=1712254058000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697655\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-7-38.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>You&#8217;ll need to select the type of visualization you wish to create.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-9-2.png?version=1&amp;modificationDate=1712254142000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-9-2.png?version=1&amp;modificationDate=1712254142000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697659\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-9-2.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-8-39.png?version=1&amp;modificationDate=1712254119000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-8-39.png?version=1&amp;modificationDate=1712254119000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697658\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-8-39.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-TSVB(TimeSeriesVisualizationBuilder)\">TSVB (Time Series Visualization Builder)<\/h2>\n<p>The Time Series Visualization Pipeline is a GUI visualization builder to create graphs from time series data. This means the x-axis will be datetime values and the y-axis will the data you want to visualize over the time period. To create a new visualization of this type, select \u201cTSVB\u201d on the \u201cNew Visualization\u201d menu.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-1-23.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-1-23.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697617\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-1-23.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Scroll down and select \u201cPanel options\u201d \u2013 here you specify the index you want to visualize. Select the field that will be used as <em>the time<\/em> for each document (e.g. if your document has a special field like eventOccuredAt, you\u2019d select that here). I generally leave the time interval at \u2018auto\u2019 \u2013 although you might specifically want to present a daily or hourly report.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-1-29.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-1-29.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697618\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-1-29.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Once you have selected the index, return to the \u201cData\u201d tab. First, select the type of aggregation you want to use. In this example, we are showing the number of documents for a variety of policies.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-1-34.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" height=\"190\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-1-34.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697619\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-1-34.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>The \u201cGroup by\u201d dropdown allows you to have chart lines for different categories (instead of just having the count of documents over the time series, which is what \u201cEverything\u201d produces) \u2013 to use document data to create the groupings, select \u201cTerms\u201d.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-1-41.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-1-41.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697620\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-1-41.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Select the field you want to group on \u2013 in this case, I want the count for each unique \u201cpolicyname\u201d value, so I selected \u201cpolicyname.keyword\u201d as the grouping term.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-1-47.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-1-47.png?version=1&amp;modificationDate=1712254041000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697621\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-1-47.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Voila \u2013 a time series chart showing how many documents are found for each policy name. Click \u201cSave\u201d at the top left of the chart to save the visualization.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-1-57.png?version=1&amp;modificationDate=1712254042000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-1-57.png?version=1&amp;modificationDate=1712254042000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697622\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-1-57.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Provide a name for the visualization, write a brief description, and click \u201cSave\u201d. The visualization will now be available for others to view or for inclusion in dashboards.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2022-7-13_15-2-2.png?version=1&amp;modificationDate=1712254042000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-2-2.png?version=1&amp;modificationDate=1712254042000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697623\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-2-2.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"OpenSearchUserGuide-MapVisualizations\">Map Visualizations<\/h2>\n<p>Before we can use map details in OpenSearch visualizations, we need to add fields with the geographic information. The first few steps are something the ELK admin staff will need to do in order to map source and\/or destination IPs to geographic information. Once GeoIP information is available in the index pattern, select the \u201cMaps\u201d visualization<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-4-7.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-4-7.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697632\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-4-7.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Leave the road map layer there (otherwise you won\u2019t see the countries!)<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-4-12.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" height=\"237\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-4-12.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697633\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-4-12.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Select \u2018Documents\u2019 as the data source to link in ElasticSearch data<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2023-1-26_16-4-19.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-4-19.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697634\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-4-19.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>&nbsp;<\/p>\n<p>Select the index pattern that contains your data source (if your index pattern does not appear, then Kibana doesn\u2019t recognize the pattern as containing geographic fields \u2026 I\u2019ve had to delete and recreate my index pattern so the geographic fields were properly mapped &#8230; but refreshing the fields <em>should<\/em> be sufficient).<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-4-29.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-4-29.png?version=1&amp;modificationDate=1712254043000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697635\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-4-29.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>And select the field(s) that contain geographic details:<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2023-1-26_16-5-0.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-0.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697636\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-0.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>You can name the layer<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-7.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"219\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-7.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697637\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-7.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>And add a tool tip that will include the country code or name<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-12.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"199\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-12.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697638\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-12.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Under \u201cTerm joins\u201d, add a new join. Click on \u201cJoin &#8211;select&#8211;\u201d to link a field from the map to a field in your dataset.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-16.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"58\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-16.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697639\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-16.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>In this case, I am joining the two-character country codes &#8212;<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-22.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-22.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697640\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-22.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Normally, you can leave the \u201cand use metric count\u201d in place (the map is color coded by the number of requests coming from each country). If you want to add a filter, you can click the \u201cwhere &#8212; add filter &#8211;&#8221; link to edit the filter.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-30.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"191\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-30.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697641\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-30.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>In this example, I don\u2019t want to filter the data, so I\u2019ve left that at the default.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-36.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-36.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697642\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-36.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Click \u201cSave &amp; close\u201d to save the changes to the map visualization. To view your map, you won\u2019t find it under Visualizations \u2013 instead, click \u201cMaps\u201d along the left-hand navigation menu.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-41.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-41.png?version=1&amp;modificationDate=1712254044000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697643\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-41.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Voila \u2013 a map where the shading on a country gets darker the more requests have come from the country.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2023-1-26_16-5-55.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2023-1-26_16-5-55.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697644\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2023-1-26_16-5-55.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-TimeLine\">TimeLine<\/h2>\n<p>TimeLine can be used to build time series graphs.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-13-37.png?version=1&amp;modificationDate=1712254417000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-13-37.png?version=1&amp;modificationDate=1712254417000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697674\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-13-37.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>&nbsp;<\/p>\n<p>This visualization type is a little cryptic \u2013 you need to enter <a class=\"external-link\" href=\"https:\/\/www.elastic.co\/guide\/en\/kibana\/current\/timelion.html\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Timelion expression<\/a> &#8212; just change the &#8220;.es(&#8230;)&#8221; to &#8220;.opensearch(&#8230;)&#8221; to retrieve data from OpenSearch<\/p>\n<p>If there is null data at a time value, TimeLine will draw a discontinuous line. You can modify this behavior by specifying a <a class=\"external-link\" href=\"https:\/\/github.com\/elastic\/kibana\/tree\/main\/src\/plugins\/vis_types\/timelion\/server\/fit_functions\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">fit function<\/a>.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-3-11.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-3-11.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697646\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-3-11.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Note that you\u2019ll need to click \u201cUpdate\u201d to update the chart before you are able to save the visualization.<\/p>\n<h2 id=\"OpenSearchUserGuide-Vega\">Vega<\/h2>\n<p><a class=\"external-link\" href=\"https:\/\/www.elastic.co\/guide\/en\/kibana\/current\/vega.html\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Vega<\/a> is an experimental visualization type.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-5-39.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-5-39.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697647\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-5-39.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>This is, by far, the most flexible but most complex approach to creating a visualization. I\u2019ve used it to create the Sankey visualization showing the source and destination countries from our firewall logs. Both <a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega\/docs\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Vega<\/a> and <a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega-lite\/docs\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Vega-Lite<\/a> grammars can be used. ElasticCo provides a <a class=\"external-link\" href=\"https:\/\/www.elastic.co\/blog\/getting-started-with-vega-visualizations-in-kibana\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">getting started guide<\/a>, and there are many example online that you can use as the basis for your visualization.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-13_15-5-46.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-13_15-5-46.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697648\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-13_15-5-46.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-LearningVega\">Learning Vega<\/h2>\n<p>Both Vega and Vega-Lite are &#8230; not the best documented grammars I&#8217;ve ever encountered. This means there&#8217;s a lot of trial and error involved in getting a chart set up. There&#8217;s a <a class=\"external-link\" href=\"https:\/\/vega.github.io\/editor\/#\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Vega web editor<\/a> that allows you to see the data tables that are being used to create graphs \u2013 this lets you confirm your transformations and such are functional.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2022-7-22_15-45-16.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2022-7-22_15-45-16.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697649\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2022-7-22_15-45-16.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-DebuggingVegaGraphs\">Debugging Vega Graphs<\/h2>\n<p>If you open the browser&#8217;s developer console, you can access debugging information. This works when you are editing a visualization as well as when you are viewing one. To see a list of available functions, type VEGA_DEBUG. and a drop-down will show you what&#8217;s available. The command &#8220;VEGA_DEBUG.vega_spec&#8221; outputs pretty much everything about the chart.<\/p>\n<p><a class=\"external-link\" href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/Kibana-ega-Debug-Functions.png\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\"><span class=\"confluence-embedded-file-wrapper\"><img loading=\"lazy\" decoding=\"async\" width=\"283\" height=\"294\" class=\"confluence-embedded-image wp-image-9166 confluence-external-resource\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/Kibana-ega-Debug-Functions.png\" data-image-src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/Kibana-ega-Debug-Functions.png\" \/><\/span><\/a><\/p>\n<p>To access the data set being graphed with the Vega Lite grammar, use &#8220;VEGA_DEBUG.view.data(&#8220;source_0)&#8221; &#8212; if you are using the Vega grammar, use the dataset name that you have defined.<\/p>\n<p><a class=\"external-link\" href=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging.png\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\"><span class=\"confluence-embedded-file-wrapper\"><img loading=\"lazy\" decoding=\"async\" width=\"974\" height=\"584\" class=\"confluence-embedded-image wp-image-9165 confluence-external-resource\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging.png\" data-image-src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging.png\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging.png 974w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging-300x180.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging-768x460.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2022\/07\/kibana-vega-debugging-750x450.png 750w\" sizes=\"auto, (max-width: 974px) 100vw, 974px\" \/><\/span><\/a><\/p>\n<h2 id=\"OpenSearchUserGuide-VegaSample\u2013HorizontalLinewithBaseline\">Vega Sample \u2013 Horizontal Line with Baseline<\/h2>\n<p>This is the graph that&#8217;s used for the OTDR scans \u2013 someone identifies a baseline &#8220;as good as this circuit is going to get&#8221; loss value that is retained forever, and that value is used as a comparison for future scans. Sounded easy enough \u2013 draw a horizontal line at this y-value. Finding <em>this<\/em> y-value required using an array of data elements instead of a single data element. Drawing the line, however, was challenging.<\/p>\n<p>There&#8217;s a &#8220;<a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega\/docs\/marks\/rule\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">rule<\/a>&#8221; mark that draws a straight line between two points. You cannot just say &#8220;draw a line at <em>y<\/em> from 0 to some large value that&#8217;s going to be off the graph. You cannot just get the max value of the axis.<\/p>\n<p>The <a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega\/docs\/transforms\/joinaggregate\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">joinaggregate transformation <\/a>method &#8212; which appends the value to each element of the data set &#8212; was essential because I needed to know the <em>largest<\/em> datetime value that would appear in the chart.<\/p>\n<p>, {&#8220;type&#8221;: &#8220;joinaggregate&#8221;, &#8220;fields&#8221;: [&#8220;transformedtimestamp&#8221;], &#8220;ops&#8221;: [&#8220;max&#8221;], &#8220;as&#8221;: [&#8220;maxtime&#8221;]}<\/p>\n<p>The <a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega\/docs\/transforms\/lookup\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">lookup transformation method<\/a> &#8212; which can access elements from other data sets &#8212; allowed me to get that maximum timestamp value into the baseline data set. Except &#8230; lookup needs an exact match in the search field. Luckily, it <em>does<\/em> return a random (I presume either first or last &#8230; but it didn&#8217;t matter in this case because <em>all<\/em> records have the same max date value) record when multiple matches are found.<\/p>\n<p>So I used a <a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega\/docs\/transforms\/formula\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">formula transformation method<\/a> to add a <a class=\"external-link\" href=\"https:\/\/vega.github.io\/vega\/docs\/expressions\/#constants\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">constant<\/a> to each record as well<\/p>\n<p>, {&#8220;type&#8221;: &#8220;formula&#8221;, &#8220;as&#8221;: &#8220;pi&#8221;, &#8220;expr&#8221;: &#8220;PI&#8221;}<\/p>\n<p>Now that there&#8217;s a record to be found, I can add the max time from our scan data into our baseline data<\/p>\n<p>, {&#8220;type&#8221;: &#8220;lookup&#8221;, &#8220;from&#8221;: &#8220;scandata&#8221;, &#8220;key&#8221;: &#8220;pi&#8221;, &#8220;fields&#8221;: [&#8220;pi&#8221;], &#8220;values&#8221;: [&#8220;maxtime&#8221;], &#8220;as&#8221;: [&#8220;maxtime&#8221;]}<\/p>\n<p>Voila &#8212; a chart with a horizontal line at the baseline loss value. Yes, I randomly copied a record to use as the baseline and selected the wrong one (why some scans are below the &#8220;good as it&#8217;s ever going to get&#8221; baseline value!). But &#8230; once we have live data coming into the system, we&#8217;ll have reasonable looking graphs.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/Kibana-Vega-BaselineLineGraph.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" height=\"400\" data-image-src=\"\/download\/attachments\/473697523\/Kibana-Vega-BaselineLineGraph.png?version=1&amp;modificationDate=1712254045000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697650\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"Kibana-Vega-BaselineLineGraph.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>The Vega spec for this graph:<\/p>\n<p>{<br \/>\n&#8220;$schema&#8221;: &#8220;<a class=\"external-link\" href=\"https:\/\/vega.github.io\/schema\/vega\/v4.json\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/vega.github.io\/schema\/vega\/v4.json<\/a>&#8220;,<br \/>\n&#8220;description&#8221;: &#8220;Scan data with baseline&#8221;,<br \/>\n&#8220;padding&#8221;: 5,<\/p>\n<pre>\r\n\r\n\u00a0 \u00a0 \"title\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"text\": \"Scan Data\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"frame\": \"bounds\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"anchor\": \"start\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"offset\": 12,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"zindex\": 0\r\n\u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \"data\": [\r\n\u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"name\": \"scandata\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"url\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"%context%\": true,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"%timefield%\": \"@timestamp\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"index\": \"traces-*\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"body\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"sort\": [{\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"@timestamp\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"order\": \"asc\"\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"size\": 10000,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"_source\":[\"@timestamp\",\"Events.Summary.total loss\"]\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 ,\"format\": { \"property\": \"hits.hits\"}\r\n\u00a0 \u00a0 \u00a0 \u00a0 ,\"transform\":[\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 {\"type\": \"formula\", \"expr\": \"datetime(datum._source['@timestamp'])\", \"as\": \"transformedtimestamp\"}\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 , {\"type\": \"joinaggregate\", \"fields\": [\"transformedtimestamp\"], \"ops\": [\"max\"], \"as\": [\"maxtime\"]}\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 , {\"type\": \"formula\", \"as\": \"pi\", \"expr\": \"PI\"}\r\n\u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 \u00a0 }\r\n\u00a0 ,\r\n\u00a0 \u00a0{\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"name\": \"baseline\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"url\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"%context%\": true,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"index\": \"baselines*\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"body\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"sort\": [{\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"@timestamp\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"order\": \"desc\"\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"size\": 1,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"_source\":[\"@timestamp\",\"Events.Summary.total loss\"]\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 ,\"format\": { \"property\": \"hits.hits\" }\r\n\u00a0 \u00a0 \u00a0 \u00a0 ,\"transform\":[\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 {\"type\": \"formula\", \"as\": \"pi\", \"expr\": \"PI\"}\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 , {\"type\": \"lookup\", \"from\": \"scandata\", \"key\": \"pi\", \"fields\": [\"pi\"], \"values\": [\"maxtime\"], \"as\": [\"maxtime\"]}\r\n\u00a0 \u00a0 \u00a0 \u00a0 ]\r\n\u00a0 }\r\n] \u00a0 \u00a0 \u00a0\r\n,\r\n\u00a0 \u00a0 \"scales\": [\r\n\u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"name\": \"x\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"type\": \"point\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"range\": \"width\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"domain\": {\"data\": \"scandata\", \"field\": \"transformedtimestamp\"}\r\n\u00a0 \u00a0 \u00a0 },\r\n\u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"name\": \"y\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"type\": \"linear\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"range\": \"height\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"nice\": true,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"zero\": true,\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"domain\": {\"data\": \"scandata\", \"field\": \"_source.Events.Summary.total loss\"}\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0 \u00a0 \"axes\": [\r\n\u00a0 \u00a0 \u00a0 {\"orient\": \"bottom\", \"scale\": \"x\"},\r\n\u00a0 \u00a0 \u00a0 {\"orient\": \"left\", \"scale\": \"y\"}\r\n\u00a0 \u00a0 ],\r\n\u00a0 \u00a0 \u00a0\"marks\": [\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"type\": \"line\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"from\": {\"data\": \"scandata\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"encode\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"enter\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"x\": { \"scale\": \"x\", \"field\": \"transformedtimestamp\", \"type\": \"temporal\",\r\n\u00a0 \u00a0 \u00a0 \"timeUnit\": \"yearmonthdatehourminute\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"y\": {\"scale\": \"y\", \u00a0 \u00a0 \u00a0 \"type\": \"quantitative\",\"field\": \"_source.Events.Summary.total loss\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"strokeWidth\": {\"value\": 2},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"stroke\": {\"value\": \"green\"}\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0, \u00a0 \u00a0 \u00a0 \u00a0{\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"type\": \"rule\",\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"from\": {\"data\": \"baseline\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"encode\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"enter\": {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"stroke\": {\"value\": \"#652c90\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"x\": {\"scale\": \"x\", \"value\": 0},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"y\": {\"scale\": \"y\", \u00a0 \u00a0 \u00a0\"type\": \"quantitative\",\"field\": \"_source.Events.Summary.total loss\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"x2\": {\"scale\": \"x\",\"field\": \"maxtime\", \"type\": \"temporal\"},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"strokeWidth\": {\"value\": 4},\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \"opacity\": {\"value\": 0.3}\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0] \u00a0 \u00a0 \u00a0 \u00a0 \r\n}<\/pre>\n<h2 id=\"OpenSearchUserGuide-OtherTypes:\">Other Types:<\/h2>\n<p><a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/dashboards\/visualize\/area\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Area<\/a><\/p>\n<p><a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/dashboards\/visualize\/viz-index\/#controls\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Controls<\/a> allow you to add a control bar to a dashboard \u2013 this enables the user to select date ranges, add filters, and otherwise control the data being displayed in the dashboard.<\/p>\n<p>Coordinate Map<\/p>\n<p>Data Table<\/p>\n<p><a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/dashboards\/visualize\/gantt\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Gantt Chart<\/a><\/p>\n<p>Gauge<\/p>\n<p>Goal<\/p>\n<p>Heat Map<\/p>\n<p><a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/dashboards\/visualize\/viz-index\/#bar-charts\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Horizontal Bar<\/a><\/p>\n<p>Line<\/p>\n<p>Markdown<\/p>\n<p>Metric<\/p>\n<p>PPL<\/p>\n<p>Pie<\/p>\n<p>Region Map<\/p>\n<p>Tag Cloud<\/p>\n<p><a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/dashboards\/visualize\/viz-index\/#bar-charts\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">Vertical Bar<\/a><\/p>\n<p><a class=\"external-link\" href=\"https:\/\/opensearch.org\/docs\/latest\/dashboards\/visualize\/visbuilder\/\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">VisBuilder<\/a><\/p>\n<h1 id=\"OpenSearchUserGuide-CreatingaDashboard\">Creating a Dashboard<\/h1>\n<h2 id=\"OpenSearchUserGuide-General.1\">General<\/h2>\n<p>To create a dashboard, use the hamburger button to expand the left-hand navigation menu and select &#8220;Dashboards&#8221;<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-4_14-23-3.png?version=1&amp;modificationDate=1712254983000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-23-3.png?version=1&amp;modificationDate=1712254983000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697681\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-23-3.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Click &#8220;Create&#8221; to create a new dashboard<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-24-31.png?version=1&amp;modificationDate=1712255071000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-24-31.png?version=1&amp;modificationDate=1712255071000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697683\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-24-31.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Select the type of dashboard you wish to create<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-24-49.png?version=1&amp;modificationDate=1712255089000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-24-49.png?version=1&amp;modificationDate=1712255089000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697684\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-24-49.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-Dashboard\">Dashboard<\/h2>\n<p>Click \u201cAdd\u201d to add existing visualizations to the dashboard (or create a new one).<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-30-53.png?version=1&amp;modificationDate=1712255453000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-30-53.png?version=1&amp;modificationDate=1712255453000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697687\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-30-53.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Select the dashboards you want added, then click \u201cSave\u201d to save your dashboard.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-31-34.png?version=1&amp;modificationDate=1712255494000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-31-34.png?version=1&amp;modificationDate=1712255494000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697689\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-31-34.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Provide a name and brief description, then click \u201cSave\u201d.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image confluence-thumbnail\" src=\"https:\/\/wiki.windstream.com\/download\/thumbnails\/473697523\/image2024-4-4_14-31-54.png?version=1&amp;modificationDate=1712255514000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-31-54.png?version=1&amp;modificationDate=1712255514000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697691\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-31-54.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<h2 id=\"OpenSearchUserGuide-ObservabilityDashboard\">Observability Dashboard<\/h2>\n<p>Provide a name for the dashboard<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-26-0.png?version=1&amp;modificationDate=1712255160000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-26-0.png?version=1&amp;modificationDate=1712255160000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697685\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-26-0.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>Use the &#8220;Add visualization&#8221; button to create new visualizations or link existing ones into the dashboard.<\/p>\n<p><span class=\"confluence-embedded-file-wrapper confluence-embedded-manual-size\"><img decoding=\"async\" class=\"confluence-embedded-image\" src=\"https:\/\/wiki.windstream.com\/download\/attachments\/473697523\/image2024-4-4_14-27-41.png?version=1&amp;modificationDate=1712255261000&amp;api=v2\" height=\"250\" data-image-src=\"\/download\/attachments\/473697523\/image2024-4-4_14-27-41.png?version=1&amp;modificationDate=1712255261000&amp;api=v2\" data-unresolved-comment-count=\"0\" data-linked-resource-id=\"473697686\" data-linked-resource-version=\"1\" data-linked-resource-type=\"attachment\" data-linked-resource-default-alias=\"image2024-4-4_14-27-41.png\" data-base-url=\"https:\/\/wiki.windstream.com\" data-linked-resource-content-type=\"image\/png\" data-linked-resource-container-id=\"473697523\" data-linked-resource-container-version=\"5\" \/><\/span><\/p>\n<p>More details about the Observability plugin can be found at <a class=\"external-link\" href=\"https:\/\/github.com\/opensearch-project\/dashboards-observability\/wiki\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/github.com\/opensearch-project\/dashboards-observability\/wiki<\/a> and <a class=\"external-link\" href=\"https:\/\/github.com\/opensearch-project\/dashboards-observability\/wiki\" target=\"_blank\" rel=\"nofollow noopener\" data-ext-link-init=\"true\">https:\/\/github.com\/opensearch-project\/dashboards-observability\/wiki<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Below is the user&#8217;s guide I put together for individuals who use the ElasticSearch system I support at work to help them transition to the OpenSearch platform we&#8217;ll be moving to later this year. Overview What is ElasticSearch? What is OpenSearch? Differences Between OpenSearch and ElasticSearch Requesting Access Logging In Switching Tenants Searching Searching: Discover &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1588],"tags":[1740,2016],"class_list":["post-10967","post","type-post","status-publish","format-standard","hentry","category-elk","tag-opensearch","tag-opensearch-dashboards"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10967"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10967\/revisions"}],"predecessor-version":[{"id":10968,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/10967\/revisions\/10968"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}