语法:

官方文档

If you’re familiar with Kibana’s old lucene query syntax, you should feel right at home with the new syntax. The basics stay the same, we’ve simply refined things to make the query language easier to use. Read about the changes below.

response:200 will match documents where the response field matches the value 200.

Quotes around a search term will initiate a phrase search. For example, message:"Quick brown fox" will search for the phrase "quick brown fox" in the message field. Without the quotes, your query will get broken down into tokens via the message field’s configured analyzer and will match documents that contain those tokens, regardless of the order in which they appear. This means documents with "quick brown fox" will match, but so will "quick fox brown". Remember to use quotes if you want to search for a phrase.

The query parser will no longer split on whitespace. Multiple search terms must be separated by explicit boolean operators. Note that boolean operators are not case sensitive.

response:200 extension:php in lucene would become response:200 and extension:php. This will match documents where response matches 200 and extension matches php.

We can make terms optional by using or.

response:200 or extension:php will match documents where response matches 200, extension matches php, or both.

By default, and has a higher precedence than or.

response:200 and extension:php or extension:css will match documents where response is 200 and extension is php OR documents where extension is css and response is anything.

We can override the default precedence with grouping.

response:200 and (extension:php or extension:css) will match documents where response is 200 and extension is either php or css.

A shorthand exists that allows us to easily search a single field for multiple values.

response:(200 or 404) searches for docs where the response field matches 200 or 404. We can also search for docs with multi-value fields that contain a list of terms, for example: tags:(success and info and security)

Terms can be inverted by prefixing them with not.

not response:200 will match all documents where response is not 200.

Entire groups can also be inverted.

response:200 and not (extension:php or extension:css)

Ranges are similar to lucene with a small syntactical difference.

Instead of bytes:>1000, we omit the colon: bytes > 1000.

>, >=, <, <= are all valid range operators.

Exist queries are simple and do not require a special operator. response:* will find all docs where the response field exists.

Wildcard queries are available. machine.os:win* would match docs where the machine.os field starts with "win", which would match values like "windows 7" and "windows 10".

Wildcards also allow us to search multiple fields at once. This can come in handy when you have both text and keyword versions of a field. Let’s say we have machine.os and machine.os.keyword fields and we want to check both for the term "windows 10". We can do it like this: `machine.os*:windows 10".

Terms without fields will be matched against the default field in your index settings. If a default field is not set these terms will be matched against all fields. For example, a query for response:200 will search for the value 200 in the response field, but a query for just 200 will search for 200 across all fields in your index.

Lucene Query Syntax

官方文档

Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings.

The following are some tips that can help get you started.

  • To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
  • To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
  • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
  • To specify more complex search criteria, you can use the Boolean operators ANDOR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

For more detailed information about the Lucene query syntax, see the Query String Query docs.

These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.

Kibana Query Language(KQL)的更多相关文章

  1. Kibana查询语言(KQL)

    一.前言 现在大多数的公司都会使用ELK组合来对日志数据的收集.存储和提供查询服务,这里就不介绍什么是ELK了,只介绍一些EKL中的查询,也就是K(kibana). 查询数据库,如果是MySQL,那么 ...

  2. hql(Hibernate Query Language)

    1.Criteria查询对查询条件进行了面向对象封装,符合编程人员的思维方式,不过HQL(Hibernate Query Language)查询提供了更加丰富的和灵活的查询特性,因此Hibernate ...

  3. HQL: The Hibernate Query Language

    Chapter 14. HQL: The Hibernate Query Language 14.1. Case Sensitivity 14.2. The from clause 14.3. Ass ...

  4. SQL Structured Query Language(结构化查询语言) 数据库

    SQL是Structured Query Language(结构化查询语言)的缩写. SQL是专为数据库而建立的操作命令集,是一种功能齐全的数据库语言. 在使用它时,只需要发出“做什么”的命令,“怎么 ...

  5. Hibernate Query Language查询:

    Hibernate Query Language查询: Criteria查询对查询条件进行了面向对象封装,符合编程人员的思维方式,不过HQL(Hibernate Query Language)查询提供 ...

  6. GraphQuery - Powerful html/xml query language

    GraphQuery GraphQuery is a query language and execution engine tied to any backend service. It is ba ...

  7. 数据库原理及应用-用户接口及SQL查询语言(Query Language)

    2018-02-07 20:41:39 一.DBMS的用户接口 查询语言 访问DBMS的访问工具(GUI) API 相关类库 二.SQL语言 SQL语言可以细分为四种: 1.Data Definiti ...

  8. JDBC(Java Database Connectivity,Java数据库连接)API是一个标准SQL(Structured Query Language

    JDBC(Java Database Connectivity,Java数据库连接)API是一个标准SQL(Structured Query Language,结构化查询语言)数据库访问接口,它使数据 ...

  9. 数据库系统概述(Data Model、DBMS、DBS、RDBS、Structured Query Language)

    数据Data 描述事物的符号记录成为数据. 数据是数据库中存储的基本对象.   除了基本的数字之外.像图书的名称.价格.作者都可以称为数据. 将多种数据记录列成一张表.通过数据表管理数据. 每一行的数 ...

随机推荐

  1. inotify和rsync实现数据实时同步

    数据的实时同步 实现实时同步 要利用监控服务(inotify),监控同步数据服务器目录中信息的变化 发现目录中数据产生变化,就利用rsync服务推送到备份服务器上 实现实时同步的方法 ino ...

  2. API接口文档中将Swagger文档转Word 文档

    一般的开发工作,尤其是API接口的开发工作,首先要有开发文档,接口说明文档 ok,后来开发完毕了 和页面联调,或者是和第三方联调的时候, 这个时候,SA systeam admin 就会开始直接让开发 ...

  3. idou老师教你学Istio 14:如何用K8S对Istio Service进行流量健康检查

    Istio利用k8s的探针对service进行流量健康检查,有两种探针可供选择,分别是liveness和readiness: liveness探针用来侦测什么时候需要重启容器.比如说当liveness ...

  4. 复杂sql书写方法

    给你一个复杂sql连接不同的表,多个嵌套查询条件等的语句时,你是非常的胆怯由于对语法的不熟悉以及没有经验和自信,现在我们来学习一下如何写复杂的sql,我们把它分解为很多小的步骤进行 一.集中最后的输出 ...

  5. virtualBox+centOS的一些报错

    step1: 安装系统后进入命令行模式 安装virtualBox:https://www.virtualbox.org/wiki/Downloads 下载centOS7镜像:https://www.c ...

  6. dp四边形优化

    如果dp[i][j]=min(dp[i][k]+dp[k+1][j]+w[i][j]);且满足dp[a][c]+dp[b][d]<=dp[a][d]+dp[c][d](a<b<=c& ...

  7. 洛谷P1330 封锁阳光大学【dfs】

    题目:https://www.luogu.org/problemnew/show/P1330 题意:一个无向边,一个河蟹可以占领一个点,但一个点只能被一个河蟹占领. 占领了一个点之后,这个点所有的边都 ...

  8. selenium driver版本和Chrome浏览器版本对应关系

    ChromeDriver v2.41 (2018-07-27) ---- Chrome v67-69ChromeDriver v2.40 (2018-06-07) ---- Chrome v66-68 ...

  9. Python 实践--混入类

    Mix-in:混入类是一种Python程序设计中的技术,作用是在运行期间动态改变类的基类或类的方法,从而使得类的表现可以发生变化.可以用在一个通用类接口中. 在实践一个 解析XML文件的实践中,体会动 ...

  10. SIGAI深度学习第七集 卷积神经网络1

    讲授卷积神经网络核心思想.卷积层.池化层.全连接层.网络的训练.反向传播算法.随机梯度下降法.AdaGrad算法.RMSProp算法.AdaDelta算法.Adam算法.迁移学习和fine tune等 ...