mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 01:13:23 -04:00
dfcc910b8f
* [DOCS] Reorganizes concepts and discover sections * [DOCS] Updates time filter and saved query sections * Update docs/discover/save-search.asciidoc Co-authored-by: Wylie Conlon <wylieconlon@gmail.com> * [DOCS] Updates time filter and saved query doc * [DOCS] Updates images * [DOCS] Adds missing images * [DOCS] Minor edits Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Wylie Conlon <wylieconlon@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Wylie Conlon <wylieconlon@gmail.com>
51 lines
1.5 KiB
Text
51 lines
1.5 KiB
Text
[[lucene-query]]
|
|
=== Lucene query syntax
|
|
Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
|
|
Full documentation for this syntax is available as part of {es}
|
|
{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].
|
|
|
|
The main reason to use the Lucene query syntax in {kib} is for advanced
|
|
Lucene features, such as regular expressions or fuzzy term matching. However,
|
|
Lucene syntax is not able to search nested objects or scripted fields.
|
|
|
|
To perform a free text search, simply enter a text string. For example, if
|
|
you're searching web server logs, you could enter `safari` to search all
|
|
fields:
|
|
|
|
[source,yaml]
|
|
-------------------
|
|
safari
|
|
-------------------
|
|
|
|
To search for a value in a specific field, prefix the value with the name
|
|
of the field:
|
|
|
|
[source,yaml]
|
|
-------------------
|
|
status:200
|
|
-------------------
|
|
|
|
To search for a range of values, use the bracketed range syntax,
|
|
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
|
|
status codes, you could enter `status:[400 TO 499]`.
|
|
|
|
[source,yaml]
|
|
-------------------
|
|
status:[400 TO 499]
|
|
-------------------
|
|
|
|
For an open range, use a wildcard:
|
|
|
|
[source,yaml]
|
|
-------------------
|
|
status:[400 TO *]
|
|
-------------------
|
|
|
|
To specify more complex search criteria, use the boolean operators
|
|
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
|
|
codes and have an extension of `php` or `html`:
|
|
|
|
[source,yaml]
|
|
-------------------
|
|
status:[400 TO 499] AND (extension:php OR extension:html)
|
|
-------------------
|