filters specify the search parameters for documents in Elasticsearch, and determine the document fields to discover. Discovery rules are applied to indexes and documents that match include filters and do not match exclude filters. Discovery rules inspect the fields specified by include filter settings (see Fields for details).

The filter control dialog box is used when adding or editing a filter. It provides the following filter condition controls:

Select the All indexes check box if you want documents from any index to match the filter. Clear this check box if you need to specify indexes explicitly. As a result, only documents from indexes whose names are listed in the Index field will match the filter.

In the Index field, one can enter multiple names separated by semicolons (;), as well as use wildcards: an asterisk (*) for an arbitrary series characters, a question mark (?) for any single character.

To help configure filters, the Index field remembers previously entered names, and allows them to be selected from the drop-down list.

Select the All documents check box if you want any documents from the specified indexes to match the filter. Clear this check box if you need to filter documents by their field values or by using a search query. As a result, the filter will match only documents matching each of the specified field-value pairs (option Custom) or those returned by the specified Elasticsearch query (option Query).

The include filter also determines the document fields to be inspected by discovery rules. If such a filter has the Custom option selected, the rules inspect only the fields specified in the filter’s field-value pairs. If the include filter has the All documents check box or Query option selected, the rules inspect all document fields. The selection of the fields to be inspected is entirely determined by include filters. Exclude filters can exclude documents but not fields from discovery.

To set up a list of field-value pairs, select the Custom option. Click in the first column of the list to type the name of the field. To type the value to search for, click in the second column next to the field name. The filter matches documents in which the specified fields have the specified values.

If only a field value is specified, the filter matches documents with that value in any field. The list displays <All> as the name of the field. In this way, you can filter documents by a specific value, regardless of the field in which this value occurs.

If only the name of a field is specified, the filter matches documents with any value in that field. The list displays <All Values> as the value for such a field. In this way, you can specify document fields for discovery by applying discovery rules to data in those fields.

If both the field name and value are specified, then, when executing the discovery task, the field-value pair will be converted to a search query string and passed to Elasticsearch. Only documents returned by that query will match the filter. The value specified for the field must have syntax supported in Elasticsearch query strings.

It is also possible to specify a search query explicitly. To do this, select the Query option, and then enter the desired query string in compliance with Elasticsearch syntax (see a query string syntax description at www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html#query-string-syntax). In this way, the discovery scope can be determined by using Elasticsearch queries. For example, the query string author:"John Smith" AND title:(quick OR brown) generates a search query for documents in which the author field contains John Smith and the title field contains quick or brown.