Kibana Search Cheatsheet (KQL & Lucene)
This article is a cheatsheet about searching in Kibana. You can find a more detailed explanation about searching in Kibana in this blog post.
KQL (Kibana Query Language) is a query language available in Kibana, that will be handled by Kibana and converted into Elasticsearch Query DSL. Lucene is a query language directly handled by Elasticsearch. In nearly all places in Kibana, where you can provide a query you can see which one is used by the label on the right of the search box. Clicking on it allows you to disable KQL and switch to Lucene.
- Supports auto completion of fields and values
- Supports searching on scripted fields
- Supports wildcard on field names
- Supports querying for nested fields
- Simpler syntax for some operators
- More resilient in where you can use spaces (see below)
- Supports regular expressions
- Supports fuzzy search
- Supports boosting
Which one should you use? Start with KQL — which is also the default in recent Kibana versions — and just fall back to Lucene if you need specific features not available in KQL.
Lucene is rather sensitive to where spaces in the query can be, e.g. (using
␣ here to represent
user␣:eva are all equivalent, while
are actually searching for different documents. Thus when using Lucene, I’d always recommend to not put
any spaces around the operators to be safe. KQL is more resilient to spaces and it doesn’t matter where
around the operator you’ll put spaces.
Find documents where any field matches any of the words/terms listed. The term must appear as it is in the document, e.g. this query won’t match documents containing the word “darker”. Read the detailed search post for more details into how fields will be analyzed.
Use and/or and parentheses to define that multiple terms need to appear. This query would find all documents that have the term “orange” and either “dark” or “light” (or both) in it.
To find values only in specific fields you can put the field name before the value e.g. this query will only find “orange” in the color field.
Putting quotes around values makes sure they are found in that specific order (“match a phrase”) e.g. if you want to make sure to only find documents containing “our planet” and not “planet our” you’d need the following query:
You can use the wildcard
* to match just parts of a term/word, e.g. this query will find anything beginning
with “dark” like “darker”, “darkest”, “darkness”, etc.
Wildcards can be used anywhere in a term/word. ⚡ Using a wildcard in front of a word can be rather slow and resource intensive for your Elasticsearch — use with care.
You can use the
* wildcard also for searching over multiple fields in KQL e.g. this query will search “fakestreet” in all
fields beginning with “user.address.”.
Wildcards cannot be used when searching for “phrases” i.e.
"our plan*" will not retrieve results containing “our planet”.
Compare numbers or dates. Those operators also work on text/keyword fields, but might behave not very intuitive and thus I’d recommend avoiding usage with text/keyword fields.
Lucene supports a special range operator to search for a range (besides using comparator operators shown above).
Find documents in which a specific field exists (i.e. that does have a non
for that field).
Querying nested fields is only supported in KQL. The syntax is a bit more complex given the complexity of nested queries. Thus I’d recommend reading the official documentation.
Lucene has the ability to search for regular expressions. ⚡ This can be rather slow and resource intensive for your Elasticsearch — use with care.
Fuzzy search allows searching for strings, that are very similar to the given query.