Lucene Query Syntax

edit

Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings. The following are some tips that can help get you started.

  • To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
  • To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
  • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
  • To specify more complex search criteria, you can use the Boolean operators AND, OR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

For more detailed information about the Lucene query syntax, see the Query String Query docs.

These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.