kibana/docs/concepts/lucene.asciidoc

[[lucene-query]]
=== Lucene query syntax
Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
Full documentation for this syntax is available as part of {es}
{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].

The main reason to use the Lucene query syntax in {kib} is for advanced
Lucene features, such as regular expressions or fuzzy term matching. However,
Lucene syntax is not able to search nested objects or scripted fields.

To perform a free text search, simply enter a text string. For example, if
you're searching web server logs, you could enter `safari` to search all
fields:

[source,yaml]
-------------------
safari
-------------------

To search for a value in a specific field, prefix the value with the name
of the field:

[source,yaml]
-------------------
status:200
-------------------

To search for a range of values, use the bracketed range syntax,
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
status codes, you could enter `status:[400 TO 499]`.

[source,yaml]
-------------------
status:[400 TO 499]
-------------------

For an open range, use a wildcard:

[source,yaml]
-------------------
status:[400 TO *]
-------------------

To specify more complex search criteria, use the boolean operators
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
codes and have an extension of `php` or `html`:

[source,yaml]
-------------------
status:[400 TO 499] AND (extension:php OR extension:html)
-------------------