语法:

官方文档

If you’re familiar with Kibana’s old lucene query syntax, you should feel right at home with the new syntax. The basics stay the same, we’ve simply refined things to make the query language easier to use. Read about the changes below.

response:200 will match documents where the response field matches the value 200.

Quotes around a search term will initiate a phrase search. For example, message:"Quick brown fox" will search for the phrase "quick brown fox" in the message field. Without the quotes, your query will get broken down into tokens via the message field’s configured analyzer and will match documents that contain those tokens, regardless of the order in which they appear. This means documents with "quick brown fox" will match, but so will "quick fox brown". Remember to use quotes if you want to search for a phrase.

The query parser will no longer split on whitespace. Multiple search terms must be separated by explicit boolean operators. Note that boolean operators are not case sensitive.

response:200 extension:php in lucene would become response:200 and extension:php. This will match documents where response matches 200 and extension matches php.

We can make terms optional by using or.

response:200 or extension:php will match documents where response matches 200, extension matches php, or both.

By default, and has a higher precedence than or.

response:200 and extension:php or extension:css will match documents where response is 200 and extension is php OR documents where extension is css and response is anything.

We can override the default precedence with grouping.

response:200 and (extension:php or extension:css) will match documents where response is 200 and extension is either php or css.

A shorthand exists that allows us to easily search a single field for multiple values.

response:(200 or 404) searches for docs where the response field matches 200 or 404. We can also search for docs with multi-value fields that contain a list of terms, for example: tags:(success and info and security)

Terms can be inverted by prefixing them with not.

not response:200 will match all documents where response is not 200.

Entire groups can also be inverted.

response:200 and not (extension:php or extension:css)

Ranges are similar to lucene with a small syntactical difference.

Instead of bytes:>1000, we omit the colon: bytes > 1000.

>, >=, <, <= are all valid range operators.

Exist queries are simple and do not require a special operator. response:* will find all docs where the response field exists.

Wildcard queries are available. machine.os:win* would match docs where the machine.os field starts with "win", which would match values like "windows 7" and "windows 10".

Wildcards also allow us to search multiple fields at once. This can come in handy when you have both text and keyword versions of a field. Let’s say we have machine.os and machine.os.keyword fields and we want to check both for the term "windows 10". We can do it like this: `machine.os*:windows 10".

Terms without fields will be matched against the default field in your index settings. If a default field is not set these terms will be matched against all fields. For example, a query for response:200 will search for the value 200 in the response field, but a query for just 200 will search for 200 across all fields in your index.

Lucene Query Syntax

官方文档

Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings.

The following are some tips that can help get you started.

  • To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
  • To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
  • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
  • To specify more complex search criteria, you can use the Boolean operators ANDOR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

For more detailed information about the Lucene query syntax, see the Query String Query docs.

These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.

Kibana Query Language(KQL)的更多相关文章

  1. Kibana查询语言(KQL)

    一.前言 现在大多数的公司都会使用ELK组合来对日志数据的收集.存储和提供查询服务,这里就不介绍什么是ELK了,只介绍一些EKL中的查询,也就是K(kibana). 查询数据库,如果是MySQL,那么 ...

  2. hql(Hibernate Query Language)

    1.Criteria查询对查询条件进行了面向对象封装,符合编程人员的思维方式,不过HQL(Hibernate Query Language)查询提供了更加丰富的和灵活的查询特性,因此Hibernate ...

  3. HQL: The Hibernate Query Language

    Chapter 14. HQL: The Hibernate Query Language 14.1. Case Sensitivity 14.2. The from clause 14.3. Ass ...

  4. SQL Structured Query Language(结构化查询语言) 数据库

    SQL是Structured Query Language(结构化查询语言)的缩写. SQL是专为数据库而建立的操作命令集,是一种功能齐全的数据库语言. 在使用它时,只需要发出“做什么”的命令,“怎么 ...

  5. Hibernate Query Language查询:

    Hibernate Query Language查询: Criteria查询对查询条件进行了面向对象封装,符合编程人员的思维方式,不过HQL(Hibernate Query Language)查询提供 ...

  6. GraphQuery - Powerful html/xml query language

    GraphQuery GraphQuery is a query language and execution engine tied to any backend service. It is ba ...

  7. 数据库原理及应用-用户接口及SQL查询语言(Query Language)

    2018-02-07 20:41:39 一.DBMS的用户接口 查询语言 访问DBMS的访问工具(GUI) API 相关类库 二.SQL语言 SQL语言可以细分为四种: 1.Data Definiti ...

  8. JDBC(Java Database Connectivity,Java数据库连接)API是一个标准SQL(Structured Query Language

    JDBC(Java Database Connectivity,Java数据库连接)API是一个标准SQL(Structured Query Language,结构化查询语言)数据库访问接口,它使数据 ...

  9. 数据库系统概述(Data Model、DBMS、DBS、RDBS、Structured Query Language)

    数据Data 描述事物的符号记录成为数据. 数据是数据库中存储的基本对象.   除了基本的数字之外.像图书的名称.价格.作者都可以称为数据. 将多种数据记录列成一张表.通过数据表管理数据. 每一行的数 ...

随机推荐

  1. Kubernetes的核心技术概念和API对象

    Kubernetes的核心技术概念和API对象 API对象是K8s集群中的管理操作单元.K8s集群系统每支持一项新功能,引入一项新技术,一定会新引入对应的API对象,支持对该功能的管理操作.例如副本集 ...

  2. k2系列-安装篇

    K2介绍: K2是基于BPM的流程开发平台,它支持在net开发环境/visio/moss等不同环境下进行流程开发. K2本身部署简单,操作灵活,非常适合大中型企业流程开发和部署. K2安装步骤: 首先 ...

  3. Jupyter Notebook 插件安装

    刚才安装notebook插件jupyter_contrib_nbextensions,搜了很多教程都没有作用.直到用了这个命令,一行解决. pip install jupyter_contrib_nb ...

  4. iis深入学习资源

    iis站点:https://www.iis.net/overview/reliability/richdiagnostictools 感兴趣可以深入学习下iis

  5. elasticsearch查询:启动项目报错No property ... found for...Did you mean '...'?

    网上找的案例是: 实体类字段定义:private String sku_no;dao中接口名定义:Goods findBySkuNo(String skuNo);spring-data按照接口方法定义 ...

  6. FFmpeg常用命令学习笔记(六)图片与视频互转命令

    图片与视频互转命令 1.视频转图片 ffmpeg -i in.mp4 -r 1 -f image2 img-%3d.jpeg -r 1:转换图片帧率为1,也就是1秒转1张.-f image2:将媒体文 ...

  7. C# Dynamic动态对象

    1.ExpandoObject dynamic expObj = new ExpandoObject(); expObj.FirstName = "Daffy"; expObj.L ...

  8. 双击bin/startup.bat启动tomcat常见错误

    双击bin/startup.bat启动tomcat常见错误: 常见错误:可能与其他服务的端口号冲突. tomcat的默认端口号8080,此端口号较为常见,建议修改此端口号. 修改方法: 点击conf文 ...

  9. 001_FreeRTOS中断配置

    (一)优先级看:022_STM32中断优先级分组解析 (二)FreeRTOS的中断配置中没有处理亚优先级(响应优先级)的情况,所以只能配置成组4,16个都为抢占优先级 (三)此宏用来设置 MCU 使用 ...

  10. JAVA的带参数的方法

    一.带参数的方法 1.1 语法:                            <访问修饰符>  返回类型  <方法名>(<形式参数列表>) { //方法的 ...