kibana/docs/discover/search.asciidoc

[[search]]
== Search your data

You can search your data in any app that has a query bar, or by clicking on
elements in a visualization.  A search matches indices in the current
<<index-patterns, index pattern>> and in the current <<set-time-filter,time frame>>.


[float]
=== Search with KQL

By default, you search using
{kib}'s <<kuery-query, standard query language>> (KQL), which
features autocomplete and a simple, easy-to-use syntax. If you prefer to use
{kib}'s legacy query
language, based on the
Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[query syntax],
you can switch to it from the KQL popup in the query bar. When you enable the
legacy query language, you can use the full
JSON-based {ref}/query-dsl.html[Elasticsearch Query DSL].


[float]
[[autorefresh]]
=== Refresh search results
As more documents are added to the indices you're searching, the search results get stale.
Using the time filter, you can
configure a refresh interval to periodically resubmit your searches to
retrieve the latest results.

[role="screenshot"]
image::images/autorefresh-interval.png[Refresh interval option in time filter. The configurable time interval is located in the dropdown.]

You can also manually refresh the search results by
clicking the *Refresh* button.



include::kuery.asciidoc[]

[[lucene-query]]
=== Lucene query syntax
Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
Full documentation for this syntax is available as part of {es}
{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].

The main reason to use the Lucene query syntax in {kib} is for advanced
Lucene features, such as regular expressions or fuzzy term matching. However,
Lucene syntax is not able to search nested objects or scripted fields.

To perform a free text search, simply enter a text string. For example, if
you're searching web server logs, you could enter `safari` to search all
fields:

[source,yaml]
-------------------
safari
-------------------

To search for a value in a specific field, prefix the value with the name
of the field:

[source,yaml]
-------------------
status:200
-------------------

To search for a range of values, use the bracketed range syntax,
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
status codes, you could enter `status:[400 TO 499]`.

[source,yaml]
-------------------
status:[400 TO 499]
-------------------

For an open range, use a wildcard:

[source,yaml]
-------------------
status:[400 TO *]
-------------------

To specify more complex search criteria, use the boolean operators
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
codes and have an extension of `php` or `html`:

[source,yaml]
-------------------
status:[400 TO 499] AND (extension:php OR extension:html)
-------------------


[[save-open-search]]
=== Save a search
A saved search persists your current view of Discover for later retrieval and reuse. You can reload a saved search into Discover, add it to a dashboard, and use it as the basis for a visualization.

A saved search includes the query text, filters, and optionally, the time filter. A saved search also includes the selected columns in the document table, the sort order, and the current index pattern.

[role="xpack"]
[[discover-read-only-access]]
==== Read-only access
When you have insufficient privileges to save searches, the following indicator in Kibana will be
displayed and the *Save* button won't be visible. For more information on granting access to
Kibana see <<xpack-security-authorization>>.

[role="screenshot"]
image::discover/images/read-only-badge.png[Example of Discover's read only access indicator in Kibana's header]

==== Save a search
To save the current search:

. Click *Save* in the toolbar.
. Enter a name for the search and click *Save*.

To import, export, and delete saved searches, open the main menu,
then click *Stack Management > Saved Objects*.

==== Open a saved search
To load a saved search into Discover:

. Click *Open* in the toolbar.
. Select the search you want to open.

If the saved search is associated with a different index pattern than is currently
selected, opening the saved search changes the selected index pattern. The query language
used for the saved search will also be automatically selected.

[[save-load-delete-query]]
=== Save a query
A saved query is a portable collection of query text and filters that you can reuse in <<discover, Discover>> and <<dashboard, Dashboard>>. Save a query when you want to:

* Retrieve results from the same query at a later time without having to reenter the query text, add the filters or set the time filter
* View the results of the same query in multiple apps
* Share your query

Saved queries don't include information specific to Discover, such as the currently selected columns in the document table, the sort order, and the index pattern. If you want to save your current view of Discover for later retrieval and reuse, create a <<save-open-search, saved search>> instead.

[role="xpack"]
==== Read-only access
If you have insufficient privileges to save queries, the *Save current query* button isn't visible in the saved query management popover. For more information, see <<xpack-security-authorization, Granting access to Kibana>>

==== Save a query
To save the current query text, filters, and time filter:

. Click *#* in the search bar, next to the query text input.
. Click *Save current query* in the popover.
+
[role="screenshot"]
image::discover/images/saved-query-management-component-all-privileges.png["Example of the saved query management popover with a list of saved queries with write access",width="80%"]
+
. Enter a name, a description, and then select the filter options that you want to include. By default, filters are automatically included, but the time filter is not.
+
[role="screenshot"]
image::discover/images/saved-query-save-form-default-filters.png["Example of the saved query management save form with the filters option included and the time filter option excluded",width="80%"]
. Click *Save*.

==== Load a query
To load a saved query into Discover or Dashboard:

. Click *#* in the search bar, next to the query text input.
. Select the query you want to load. You might need to scroll down to find the query you are looking for.

==== Save changes to a query
If you load a query and then make changes to the query text, the filters, or the time filter, you can save the changes as a new query or update the existing query.

To save the changes as a new query:

. Click *#* in the search bar, next to the query text input.
. Click *Save as new* in the popover.
. Enter a name and a description, and then select the filter options that you want to include.
. Click *Save*.
+
[role="screenshot"]
image::discover/images/saved-query-management-component-save-as-new-query.png["Example of the saved query management popover when a query is loaded and we have made changes to the query",width="80%"]

To save the changes to the current query:

. Click *#* in the search bar.
. Click *Save changes* in the popover.
. Enter a description, and then select the filter options that you want to include.
. Click *Save*.

==== Clear a query
To clear a query that is currently loaded in an application:

. Click *#* in the search bar.
. Click *Clear* in the popover.

==== Delete a query
To completely delete a query:

. Click *#* in the search bar, next to the query text input.
. Hover over the query you want to delete.
. Click the trash can icon.
+
[role="screenshot"]
image::discover/images/saved-query-management-component-delete-query-button.png["Example of the saved query management popover when a query is hovered over and we are about to delete a query",width="80%"]

You can import, export, and delete saved queries from <<managing-saved-objects, Saved Objects in Management>>.

include::search-sessions.asciidoc[]