21 June 2018 Engineering

Improving Kibana’s Query Language

By Matt Bargar

​In 6.0, we introduced a new experimental language for Kibana’s query bar. Since then, we’ve been listening to your feedback and making adjustments. Like all experiments, some things worked and some didn’t. Let’s walk through what’s changing in 6.3, what’s new, and where we’d like to go next.

Another Origin Story

The first iteration of the Kibana query language was complicated. We wanted to unify the query bar and the filter bar, so the new language needed to support every type of filter available. We also wanted to maintain the ease of use of the current lucene query syntax. We ended up trying to smoosh an advanced functional syntax and a basic query syntax into a single language. This only created confusion for new users who weren’t sure when to use one syntax or the other.

Simplified Syntax

In 6.3, we’ve simplified the language significantly. Instead of trying to cram everything into a single box, we’re focusing solely on ease of use. The functional syntax is gone and the basic syntax has been enhanced. If you’re used to the lucene query syntax currently used by default in Kibana, you’ll feel right at home with this new language. It’s largely the same, with only a few adjustments and improvements. For example, the range operators changed slightly and we included scripted field support, carried over from the first iteration of the new language. You can read all about the new syntax in the docs.

So we have a new language that looks almost exactly like the old lucene query language, what’s the big deal? Well, the main benefit of building a language just for Kibana is that Kibana understands it. With a language we can parse and introspect, we can build lots of cool features, and we’ve begun to do just that.

Autocomplete

Kibana autocomplete

That’s right, in 6.3 we’re adding autocomplete to Kibana’s query bar. Just start typing and we’ll start giving you suggestions for fields, values (for keyword fields) and query operators. Give your fingers the rest they deserve. Stop trying to remember how to spell every field name. Prefer doing your searches one-handed? Now you can even build queries with your mouse. I won’t say much more, you’ll simply have to try it for yourself. Beware: after trying autocomplete, most people say, “I’ll never be able to use an older version of Kibana again”.

Give it a Spin

Alright, hopefully I’ve enticed you to give this thing a try. The Lucene query syntax is still the default language in Kibana since we’re still experimenting, but opting in to the new language is easier than ever. You no longer have to change anything in Kibana’s advanced settings. Instead just click the “Options” button in the query bar and enable the “Turn on query features” toggle.

Kibana query enhancement opt in

Once you’ve had some time to play with Kibana’s new language, let us know what you think! Post in our Discuss forums or chat with us on IRC. File bug reports and enhancement requests on our Github repo. Most of the changes we’ve made since 6.0 are a result of user feedback. We really appreciate it! Autocomplete is just the tip of the iceberg. We have a bunch of other ideas in store for Kibana’s new query language. Perhaps that advance language will even make a solo appearance sometime in the future 😎