Kibana Query Language (KQL) is a simple yet powerful query language for filtering and searching data in Kibana. It supports full-text search, field-based queries, and boolean logic.
Basic Syntax
1. Free Text Search
Searches for a term in all fields:
error
2. Field-Based Search
Search within a specific field:
status: "error"
3. Boolean Operators
- AND: Matches both terms
status: "error" AND user: "admin" - OR: Matches either term
status: "error" OR status: "warning" - NOT: Excludes a term
NOT status: "success"
4. Wildcards
- Single Character (
?): Matches a single characteruser: j?hn - Multiple Characters (
*): Matches multiple charactersuser: john*
5. Ranges
- Numerical Range:
age >= 30 AND age < 50 - Date Range:
timestamp > "2024-01-01T00:00:00"
6. Grouping and Nesting
Use parentheses to group expressions:
(status: "error" OR status: "warning") AND user: "admin"
7. Exists Query
Check if a field has a value:
_exists_: email
Important Notes
- KQL is case-insensitive.
- It does not support regex (use Lucene instead for that).
- It works only on filterable fields.
