Kibana Query Language

Kibana Query Languageedit

In Kibana 6.3, we introduced a number of exciting experimental query language enhancements. These features are now available by default in 7.0. Out of the box, Kibana’s query language now includes scripted field support and a simplified, easier to use syntax. If you have a Basic license or above, autocomplete functionality will also be enabled.

Language syntaxedit

If you’re familiar with Kibana’s old Lucene query syntax, you should feel right at home with the new syntax. The basics stay the same, we’ve simply refined things to make the query language easier to use.

response:200 will match documents where the response field matches the value 200.

Quotes around a search term will initiate a phrase search. For example, message:"Quick brown fox" will search for the phrase "quick brown fox" in the message field. Without the quotes, your query will get broken down into tokens via the message field’s configured analyzer and will match documents that contain those tokens, regardless of the order in which they appear. This means documents with "quick brown fox" will match, but so will "quick fox brown". Remember to use quotes if you want to search for a phrase.

The query parser will no longer split on whitespace. Multiple search terms must be separated by explicit boolean operators. Lucene will combine search terms with an or by default, so response:200 extension:php would become response:200 or extension:php in KQL. This will match documents where response matches 200, extension matches php, or both. Note that boolean operators are not case sensitive.

We can make terms required by using and.

response:200 and extension:php will match documents where response matches 200 and extension matches php.

By default, and has a higher precedence than or.

response:200 and extension:php or extension:css will match documents where response is 200 and extension is php OR documents where extension is css and response is anything.

We can override the default precedence with grouping.

response:200 and (extension:php or extension:css) will match documents where response is 200 and extension is either php or css.

A shorthand exists that allows us to easily search a single field for multiple values.

response:(200 or 404) searches for docs where the response field matches 200 or 404. We can also search for docs with multi-value fields that contain a list of terms, for example: tags:(success and info and security)

Terms can be inverted by prefixing them with not.

not response:200 will match all documents where response is not 200.

Entire groups can also be inverted.

response:200 and not (extension:php or extension:css)

Ranges are similar to lucene with a small syntactical difference.

Instead of bytes:>1000, we omit the colon: bytes > 1000.

>, >=, <, <= are all valid range operators.

Exist queries are simple and do not require a special operator. response:* will find all docs where the response field exists.

Wildcard queries are available. machine.os:win* would match docs where the machine.os field starts with "win", which would match values like "windows 7" and "windows 10".

Wildcards also allow us to search multiple fields at once. This can come in handy when you have both text and keyword versions of a field. Let’s say we have machine.os and machine.os.keyword fields and we want to check both for the term "windows 10". We can do it like this: `machine.os*:windows 10".

Terms without fields will be matched against the default field in your index settings. If a default field is not set these terms will be matched against all fields. For example, a query for response:200 will search for the value 200 in the response field, but a query for just 200 will search for 200 across all fields in your index.

How sort by date/time on Kibana Discover

Sorting by keyword in Kibana Discover

http://172.31.211.17:5601/app/kibana#/discover/a93044e0-c270-11ea-b548-ed4a37987d3a?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now%2Fd,to:now%2Fd))&_a=(columns:!('@timestamp',exceptions,message),filters:!(),index:ef42f170-c1b3-11ea-b548-ed4a37987d3a,interval:auto,query:(language:kuery,query:''),sort:!(!(_score,desc),!('@timestamp',desc)))