Kibana Search Cheatsheet (KQL & Lucene)

This article is a cheatsheet about searching in Kibana. You can find a more detailed explanation about searching in Kibana in this blog post.

KQL or Lucene

KQL (Kibana Query Language) is a query language available in Kibana, that will be handled by Kibana and converted into Elasticsearch Query DSL. Lucene is a query language directly handled by Elasticsearch. In nearly all places in Kibana, where you can provide a query you can see which one is used by the label on the right of the search box. Clicking on it allows you to disable KQL and switch to Lucene.

KQL

  • Supports auto completion of fields and values
  • Supports searching on scripted fields
  • Supports wildcard on field names
  • Supports querying for nested fields
  • Simpler syntax for some operators
  • More resilient in where you can use spaces (see below)

Lucene

  • Supports regular expressions
  • Supports fuzzy search
  • Supports boosting

Which one should you use? Start with KQL — which is also the default in recent Kibana versions — and just fall back to Lucene if you need specific features not available in KQL.

Spaces in queries

Lucene is rather sensitive to where spaces in the query can be, e.g. (using here to represent a space) user:eva, user␣:␣eva and user␣:eva are all equivalent, while price:>42 and price:>␣42 are actually searching for different documents. Thus when using Lucene, I’d always recommend to not put any spaces around the operators to be safe. KQL is more resilient to spaces and it doesn’t matter where around the operator you’ll put spaces.

Finding values

Find documents where any field matches any of the words/terms listed. The term must appear as it is in the document, e.g. this query won’t match documents containing the word “darker”. Read the detailed search post for more details into how fields will be analyzed.

KQL
dark light
Lucene
dark light

Use and/or and parentheses to define that multiple terms need to appear. This query would find all documents that have the term “orange” and either “dark” or “light” (or both) in it.

KQL
orange and (dark or light)
ℹ️ Use quotes to search for the word "and"/"or"
"and" "or" xor
Lucene
⚡ AND/OR must be written uppercase
orange AND (dark OR light)

To find values only in specific fields you can put the field name before the value e.g. this query will only find “orange” in the color field.

KQL
color : orangetitle : our planet or title : dark
Lucene
color:orange
⚡ Spaces need to be escaped
title:our\ planet OR title:dark

Putting quotes around values makes sure they are found in that specific order (“match a phrase”) e.g. if you want to make sure to only find documents containing “our planet” and not “planet our” you’d need the following query:

KQL
"our planet"title : "our planet"
Lucene
"our planet"
ℹ️ No escaping of spaces in phrases
title:"our planet"

Wildcards

You can use the wildcard * to match just parts of a term/word, e.g. this query will find anything beginning with “dark” like “darker”, “darkest”, “darkness”, etc.

KQL
dark*
Lucene
dark*

Wildcards can be used anywhere in a term/word. ⚡ Using a wildcard in front of a word can be rather slow and resource intensive for your Elasticsearch — use with care.

KQL
d*k *les
Lucene
d*k *les

You can use the * wildcard also for searching over multiple fields in KQL e.g. this query will search “fakestreet” in all fields beginning with “user.address.”.

KQL
user.address.* : fakestreet
Lucene
Not supported

Wildcards cannot be used when searching for “phrases” i.e. "our plan*" will not retrieve results containing “our planet”.

Comparing values

Compare numbers or dates. Those operators also work on text/keyword fields, but might behave not very intuitive and thus I’d recommend avoiding usage with text/keyword fields.

KQL
price >= 42 and price < 100time >= "2020-04-10"
Lucene
price:>=42 AND price:<100
⚡ No quotes around the date in Lucene
time:>=2020-04-10

Lucene supports a special range operator to search for a range (besides using comparator operators shown above).

KQL
Not supported
Lucene
price:[4000 TO 5000]
ℹ️ Excluding sides of the range using curly braces
price:[4000 TO 5000}price:{4000 TO 5000}
ℹ️ Use a wildcard for having an open sided interval
price:[4000 TO *]price:[* TO 5000]

Special queries

Find documents in which a specific field exists (i.e. that does have a non null value for that field).

KQL
destination : *
Lucene
_exists_:destination

Querying nested fields is only supported in KQL. The syntax is a bit more complex given the complexity of nested queries. Thus I’d recommend reading the official documentation.

KQL
products:{ name:pencil and price > 10 }
Lucene
Not supported

Lucene has the ability to search for regular expressions. ⚡ This can be rather slow and resource intensive for your Elasticsearch — use with care.

KQL
Not (yet) supported (see #46855)
Lucene
mail:/mailbox\.org$/

Fuzzy search allows searching for strings, that are very similar to the given query.

KQL
Not (yet) supported (see #54343)
Lucene
user:maria~