52 lines
1.5 KiB
Text
52 lines
1.5 KiB
Text
|
[[lucene-query]]
|
||
|
|
=== Lucene query syntax
|
||
|
|
Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
|
||
|
|
Full documentation for this syntax is available as part of {es}
|
||
|
|
{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].
|
||
|
|
|
||
|
|
The main reason to use the Lucene query syntax in {kib} is for advanced
|
||
|
|
Lucene features, such as regular expressions or fuzzy term matching. However,
|
||
|
|
Lucene syntax is not able to search nested objects or scripted fields.
|
||
|
|
|
||
|
|
To perform a free text search, simply enter a text string. For example, if
|
||
|
|
you're searching web server logs, you could enter `safari` to search all
|
||
|
|
fields:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
-------------------
|
||
|
|
safari
|
||
|
|
-------------------
|
||
|
|
|
||
|
|
To search for a value in a specific field, prefix the value with the name
|
||
|
|
of the field:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
-------------------
|
||
|
|
status:200
|
||
|
|
-------------------
|
||
|
|
|
||
|
|
To search for a range of values, use the bracketed range syntax,
|
||
|
|
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
|
||
|
|
status codes, you could enter `status:[400 TO 499]`.
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
-------------------
|
||
|
|
status:[400 TO 499]
|
||
|
|
-------------------
|
||
|
|
|
||
|
|
For an open range, use a wildcard:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
-------------------
|
||
|
|
status:[400 TO *]
|
||
|
|
-------------------
|
||
|
|
|
||
|
|
To specify more complex search criteria, use the boolean operators
|
||
|
|
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
|
||
|
|
codes and have an extension of `php` or `html`:
|
||
|
|
|
||
|
|
[source,yaml]
|
||
|
|
-------------------
|
||
|
|
status:[400 TO 499] AND (extension:php OR extension:html)
|
||
|
|
-------------------
|