Kibana Query Language(KQL)

语法：

官方文档

If you’re familiar with Kibana’s old lucene query syntax, you should feel right at home with the new syntax. The basics stay the same, we’ve simply refined things to make the query language easier to use. Read about the changes below.

response:200 will match documents where the response field matches the value 200.

Quotes around a search term will initiate a phrase search. For example, message:"Quick brown fox" will search for the phrase "quick brown fox" in the message field. Without the quotes, your query will get broken down into tokens via the message field’s configured analyzer and will match documents that contain those tokens, regardless of the order in which they appear. This means documents with "quick brown fox" will match, but so will "quick fox brown". Remember to use quotes if you want to search for a phrase.

The query parser will no longer split on whitespace. Multiple search terms must be separated by explicit boolean operators. Note that boolean operators are not case sensitive.

response:200 extension:php in lucene would become response:200 and extension:php. This will match documents where response matches 200 and extension matches php.

We can make terms optional by using or.

response:200 or extension:php will match documents where response matches 200, extension matches php, or both.

By default, and has a higher precedence than or.

response:200 and extension:php or extension:css will match documents where response is 200 and extension is php OR documents where extension is css and response is anything.

We can override the default precedence with grouping.

response:200 and (extension:php or extension:css) will match documents where response is 200 and extension is either php or css.

A shorthand exists that allows us to easily search a single field for multiple values.

response:(200 or 404) searches for docs where the response field matches 200 or 404. We can also search for docs with multi-value fields that contain a list of terms, for example: tags:(success and info and security)

Terms can be inverted by prefixing them with not.

not response:200 will match all documents where response is not 200.

Entire groups can also be inverted.

response:200 and not (extension:php or extension:css)

Ranges are similar to lucene with a small syntactical difference.

Instead of bytes:>1000, we omit the colon: bytes > 1000.

>, >=, <, <= are all valid range operators.

Exist queries are simple and do not require a special operator. response:* will find all docs where the response field exists.

Wildcard queries are available. machine.os:win* would match docs where the machine.os field starts with "win", which would match values like "windows 7" and "windows 10".

Wildcards also allow us to search multiple fields at once. This can come in handy when you have both text and keyword versions of a field. Let’s say we have machine.os and machine.os.keyword fields and we want to check both for the term "windows 10". We can do it like this: `machine.os*:windows 10".

Terms without fields will be matched against the default field in your index settings. If a default field is not set these terms will be matched against all fields. For example, a query for response:200 will search for the value 200 in the response field, but a query for just 200 will search for 200 across all fields in your index.

Lucene Query Syntax

官方文档

Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings.

The following are some tips that can help get you started.

• To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
• To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
• To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
• To specify more complex search criteria, you can use the Boolean operators AND, OR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

For more detailed information about the Lucene query syntax, see the Query String Query docs.

These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.