Enhancement to Discover mode for event analysis

Elastic Stack Kibana
1

We use the ELK stack to aggregate all of our service logs, then when we encounter an issue/bug we use Kibana's Discover tab to explore and correlate events. There's one task we repeatedly encounter and think the Discover mode could be enhanced to make it easier. The scenario is:

  • We have an interesting value (e.g. a data record ID, a user session ID) that we filter on and it returns multiple log messages from various systems
  • We identify one event X at time Y in system Z that looks interesting/suspicious
  • Our question is "what else was happening in system Z before/around event X?"
  • Today we apply a filter for system Z and a time range around Y, but this means we lose track of event X and need to locate it manually (browser search etc.) and this can be quite cumbersome.

One solution could be to add the ability to mark an individual record and have it highlighted on screen across all queries. Possibly having a way to quickly jump to highlighted events.

Does anyone have the same/a similar use case and have any thoughts?

Thanks!

Neil

2

Hi Neil - It's a very reasonable enhancement we've been thinking about for a while: https://github.com/elastic/kibana/issues/275

We're continuing to debate the best way to accomplish it, but this turns out to be surprisingly tricky to architect properly.

If this is important to you, please +1 / comment on the issue with your use case and ideas! We use this information to a great degree as we evolve the project.

3

Hi there,

Thanks for the swift reply :smile: I've commented on the GitHub issue as requested.

Thanks again!

Neil