mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 17:59:23 -04:00
Add Kuery docs and break search page into subsections (#13074)
* Add Kuery docs and break search page into subsections
This commit is contained in:
Matt Bargar
GitHub
parent
10280e8f9c
commit
f78bb5dc11
2 changed files with 145 additions and 17 deletions
115
docs/discover/kuery.asciidoc
Normal file
115
docs/discover/kuery.asciidoc
Normal file
|
|
@ -0,0 +1,115 @@
|
|||
[[kuery-query]]
|
||||
=== Kuery
|
||||
|
||||
experimental[This functionality is experimental and may be changed or removed completely in a future release.]
|
||||
|
||||
Kuery is a new query language built specifically for Kibana. It aims to simplify the search experience in Kibana
|
||||
and enable the creation of helpful features like auto-complete, seamless migration of saved searches, additional
|
||||
query types, and more. Kuery is a basic experience today but we're hard at work building these additional features on
|
||||
top of the foundation Kuery provides.
|
||||
|
||||
Kueries are built with functions. Many functions take a field name as their first argument. Extremely common functions have shorthand notations.
|
||||
|
||||
`is("response", 200)` will match documents where the response field matches the value 200.
|
||||
`response:200` does the same thing. `:` is an alias for the `is` function.
|
||||
|
||||
Multiple search terms are separated by whitespace.
|
||||
|
||||
`response:200 extension:php` will match documents where response matches 200 and extension matches php.
|
||||
|
||||
All terms must match by default. The language supports boolean logic with and/or operators. The above query is equivalent to `response:200 and extension:php`.
|
||||
|
||||
We can make terms optional by using `or`.
|
||||
|
||||
`response:200 or extension:php` will match documents where response matches 200, extension matches php, or both.
|
||||
|
||||
By default, `and` has a higher precedence than `or`.
|
||||
|
||||
`response:200 and extension:php or extension:css` will match documents where response is 200 and extension is php OR documents where extension is css and response is anything.
|
||||
|
||||
We can override the default precedence with grouping.
|
||||
|
||||
`response:200 and (extension:php or extension:css)` will match documents where response is 200 and extension is either php or css.
|
||||
|
||||
Terms can be inverted by prefixing them with `!`.
|
||||
|
||||
`!response:200` will match all documents where response is not 200.
|
||||
|
||||
Entire groups can also be inverted.
|
||||
|
||||
`response:200 and !(extension:php or extension:css)`
|
||||
|
||||
Some query functions have named arguments.
|
||||
|
||||
`range("bytes", gt=1000, lt=8000)` will match documents where the bytes field is greater than 1000 and less than 8000.
|
||||
|
||||
Quotes are generally optional if your terms don't have whitespace or special characters. `range(bytes, gt=1000, lt=8000)`
|
||||
would also be a valid query.
|
||||
|
||||
[NOTE]
|
||||
============
|
||||
Terms without fields will be matched against all fields. For example, a query for `response:200` will search for the value 200
|
||||
in the response field, but a query for just `200` will search for 200 across all fields in your index.
|
||||
============
|
||||
|
||||
==== Function Reference
|
||||
|
||||
[horizontal]
|
||||
Function Name:: Description
|
||||
|
||||
and::
|
||||
Purpose::: Match all given sub-queries
|
||||
Alias::: `and` as a binary operator
|
||||
Examples:::
|
||||
* `and(response:200, extension:php)`
|
||||
* `response:200 and extension:php`
|
||||
|
||||
or::
|
||||
Purpose::: Match one or more sub-queries
|
||||
Alias::: `or` as a binary operator
|
||||
Examples:::
|
||||
* `or(extension:css, extension:php)`
|
||||
* `extension:css or extension:php`
|
||||
|
||||
not::
|
||||
Purpose::: Negates a sub-query
|
||||
Alias::: `!` as a prefix operator
|
||||
Examples:::
|
||||
* `not(response:200)`
|
||||
* `!response:200`
|
||||
|
||||
is::
|
||||
Purpose::: Matches a field with a given term
|
||||
Alias::: `:`
|
||||
Examples:::
|
||||
* `is("response", 200)`
|
||||
* `response:200`
|
||||
|
||||
range::
|
||||
Purpose::: Match a field against a range of values.
|
||||
Alias::: `:[]`
|
||||
Examples:::
|
||||
* `range("bytes", gt=1000, lt=8000)`
|
||||
* `bytes:[1000 to 8000]`
|
||||
Named arguments:::
|
||||
* `gt` - greater than
|
||||
* `gte` - greater than or equal to
|
||||
* `lt` - less than
|
||||
* `lte` - less than or equal to
|
||||
|
||||
exists::
|
||||
Purpose::: Match documents where a given field exists
|
||||
Examples::: `exists("response")`
|
||||
|
||||
geoBoundingBox::
|
||||
Purpose::: Creates a geo_bounding_box query
|
||||
Examples:::
|
||||
* `geoBoundingBox("coordinates", topLeft="40.73, -74.1", bottomRight="40.01, -71.12")` (whitespace between lat and lon is ignored)
|
||||
Named arguments:::
|
||||
* `topLeft` - the top left corner of the bounding box as a "lat, lon" string
|
||||
* `bottomRight` - the bottom right corner of the bounding box as a "lat, lon" string
|
||||
|
||||
geoPolygon::
|
||||
Purpose::: Creates a geo_polygon query given 3 or more points as "lat, lon"
|
||||
Examples:::
|
||||
* `geoPolygon("geo.coordinates", "40.97, -127.26", "24.20, -84.375", "40.44, -66.09")`
|
||||
|
|
@ -1,10 +1,10 @@
|
|||
[[search]]
|
||||
== Searching Your Data
|
||||
You can search the indices that match the current index pattern by entering
|
||||
your search criteria in the Query bar. You can perform a simple text search,
|
||||
use the Lucene https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[
|
||||
query syntax], or use the full JSON-based {ref}/query-dsl.html[Elasticsearch
|
||||
Query DSL].
|
||||
your search criteria in the Query bar. You can use the Lucene
|
||||
https://lucene.apache.org/core/2_9_4/queryparsersyntax.html[
|
||||
query syntax], the full JSON-based {ref}/query-dsl.html[Elasticsearch
|
||||
Query DSL] or Kuery, an experimental new query language built specifically for Kibana.
|
||||
|
||||
When you submit a search request, the histogram, Documents table, and Fields
|
||||
list are updated to reflect the search results. The total number of hits
|
||||
|
|
@ -19,6 +19,17 @@ To search your data, enter your search criteria in the Query bar and
|
|||
press *Enter* or click *Search* image:images/search-button.jpg[] to submit
|
||||
the request to Elasticsearch.
|
||||
|
||||
[NOTE]
|
||||
===========
|
||||
By default, Kibana will accept either the Lucene query syntax or the
|
||||
Elasticsearch Query DSL in the Query bar. In order to use the new Kuery
|
||||
language you must enable language switching in *Management > Advanced Settings*
|
||||
via the `search:queryLanguage:switcher:enable` option. You can also change the
|
||||
default language with the `search:queryLanguage` setting.
|
||||
===========
|
||||
|
||||
[[lucene-query]]
|
||||
=== Lucene Query Syntax
|
||||
* To perform a free text search, simply enter a text string. For example, if
|
||||
you're searching web server logs, you could enter `safari` to search all
|
||||
fields for the term `safari`.
|
||||
|
|
@ -36,18 +47,22 @@ status codes, you could enter `status:[400 TO 499]`.
|
|||
codes and have an extension of `php` or `html`, you could enter `status:[400 TO
|
||||
499] AND (extension:php OR extension:html)`.
|
||||
|
||||
NOTE: These examples use the Lucene query syntax. You can also submit queries
|
||||
using the Elasticsearch Query DSL. For examples, see
|
||||
{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax]
|
||||
in the Elasticsearch Reference.
|
||||
For more detailed information about the Lucene query syntax, see the
|
||||
{ref}/query-dsl-query-string-query.html#query-string-syntax[Query String Query]
|
||||
docs.
|
||||
|
||||
[float]
|
||||
[[save-search]]
|
||||
=== Saving a Search
|
||||
NOTE: These examples use the Lucene query syntax. When lucene is selected as your
|
||||
query language you can also submit queries using the {ref}/query-dsl.html[Elasticsearch Query DSL].
|
||||
|
||||
include::kuery.asciidoc[]
|
||||
|
||||
[[save-open-search]]
|
||||
=== Saving and Opening Searches
|
||||
Saving searches enables you to reload them into Discover and use them as the basis
|
||||
for <<visualize, visualizations>>. Saving a search saves both the search query string
|
||||
and the currently selected index pattern.
|
||||
|
||||
==== Saving a Search
|
||||
To save the current search:
|
||||
|
||||
. Click *Save* in the Kibana toolbar.
|
||||
|
|
@ -55,18 +70,17 @@ To save the current search:
|
|||
|
||||
You can import, export and delete saved searches from *Management/Kibana/Saved Objects*.
|
||||
|
||||
[float]
|
||||
[[load-search]]
|
||||
=== Opening a Saved Search
|
||||
==== Opening a Saved Search
|
||||
To load a saved search into Discover:
|
||||
|
||||
. Click *Open* in the Kibana toolbar.
|
||||
. Select the search you want to open.
|
||||
|
||||
If the saved search is associated with a different index pattern than is currently
|
||||
selected, opening the saved search also changes the selected index pattern.
|
||||
selected, opening the saved search changes the selected index pattern. The query language
|
||||
used for the saved search will also be automatically selected.
|
||||
|
||||
|
||||
[float]
|
||||
[[select-pattern]]
|
||||
=== Changing Which Indices You're Searching
|
||||
When you submit a search request, the indices that match the currently-selected
|
||||
|
|
@ -77,7 +91,6 @@ different index pattern.
|
|||
For more information about index patterns, see <<settings-create-pattern,
|
||||
Creating an Index Pattern>>.
|
||||
|
||||
[float]
|
||||
[[autorefresh]]
|
||||
=== Refreshing the Search Results
|
||||
As more documents are added to the indices you're searching, the search results
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue