kibana/docs/concepts/lucene.asciidoc

[[lucene-query]]
=== Lucene query syntax
Lucene query syntax is available to {kib} users who opt out of the <<kuery-query>>.
Full documentation for this syntax is available as part of {es}
{ref}/query-dsl-query-string-query.html#query-string-syntax[query string syntax].

The main reason to use the Lucene query syntax in {kib} is for advanced
Lucene features, such as regular expressions or fuzzy term matching. However,
Lucene syntax is not able to search nested objects or scripted fields.

To use the Lucene syntax, open the *Saved query* menu,
and then select *Language: KQL* > *Lucene*.

[role="screenshot"]
image:concepts/images/lucene.png[Click the circle icon for the saved query menu, click Language: KQL, and then click Lucene]

To perform a free text search, simply enter a text string. For example, if
you're searching web server logs, you could enter `safari` to search all
fields:

[source,yaml]
-------------------
safari
-------------------

To search for a value in a specific field, prefix the value with the name
of the field:

[source,yaml]
-------------------
status:200
-------------------

To search for a range of values, use the bracketed range syntax,
`[START_VALUE TO END_VALUE]`. For example, to find entries that have 4xx
status codes, you could enter `status:[400 TO 499]`.

[source,yaml]
-------------------
status:[400 TO 499]
-------------------

For an open range, use a wildcard:

[source,yaml]
-------------------
status:[400 TO *]
-------------------

To specify more complex search criteria, use the boolean operators
`AND`, `OR`, and `NOT`. For example, to find entries that have 4xx status
codes and have an extension of `php` or `html`:

[source,yaml]
-------------------
status:[400 TO 499] AND (extension:php OR extension:html)
-------------------