Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings. The following are some tips that can help get you started.
To perform a free text search, simply enter a text string. For example, if
you’re searching web server logs, you could enter
safarito search all fields for the term
To search for a value in a specific field, prefix the value with the name
of the field. For example, you could enter
status:200to find all of the entries that contain the value
To search for a range of values, you can use the bracketed range syntax,
[START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter
status:[400 TO 499].
To specify more complex search criteria, you can use the Boolean operators
NOT. For example, to find entries that have 4xx status codes and have an extension of
html, you could enter
status:[400 TO 499] AND (extension:php OR extension:html).
When you use the Lucene Query Syntax in the KQL search bar, Kibana is unable to search on nested objects and perform aggregations across fields that contain nested objects.
copy_to as a workaround can cause Kibana to fail.
For more detailed information about the Lucene query syntax, see the Query String Query docs.
These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.