Lucene query syntax
Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings. The following are some tips that can help get you started.
- To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter
safari
to search all fields for the termsafari
. - To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter
status:200
to find all of the entries that contain the value200
in thestatus
field. - To search for a range of values, you can use the bracketed range syntax,
[START_VALUE TO END_VALUE]
. For example, to find entries that have 4xx status codes, you could enterstatus:[400 TO 499]
. - To specify more complex search criteria, you can use the Boolean operators
AND
,OR
, andNOT
. For example, to find entries that have 4xx status codes and have an extension ofphp
orhtml
, you could enterstatus:[400 TO 499] AND (extension:php OR extension:html)
.
For more detailed information about the Lucene query syntax, see the Query String Query docs.
These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.