IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Kibana Query Language Save a search »
Elastic Docs Kibana Guide [7.10] Discover Search data

Lucene query syntax

edit

Lucene query syntax

edit

Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings. The following are some tips that can help get you started.

  • To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
  • To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
  • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
  • To specify more complex search criteria, you can use the Boolean operators AND, OR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

When you use the Lucene Query Syntax in the KQL search bar, Kibana is unable to search on nested objects and perform aggregations across fields that contain nested objects. Using include_in_parent or copy_to as a workaround can cause Kibana to fail.

For more detailed information about the Lucene query syntax, see the Query String Query docs.

These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.

« Kibana Query Language Save a search »