Kibana Query Language (KQL) is a simple yet powerful query language for filtering and searching data in Kibana. It supports full-text search, field-based queries, and boolean logic.
Basic Syntax
1. Free Text Search
Searches for a term in all fields:
error
2. Field-Based Search
Search within a specific field:
status: "error"
3. Boolean Operators
- AND: Matches both terms
status: "error" AND user: "admin" - OR: Matches either term
status: "error" OR status: "warning" - NOT: Excludes a term
NOT status: "success"
4. Wildcards
- Single Character (
?): Matches a single characteruser: j?hn - Multiple Characters (
*): Matches multiple charactersuser: john*
5. Ranges
- Numerical Range:
age >= 30 AND age < 50 - Date Range:
timestamp > "2024-01-01T00:00:00"
6. Grouping and Nesting
Use parentheses to group expressions:
(status: "error" OR status: "warning") AND user: "admin"
7. Exists Query
Check if a field has a value:
_exists_: email
Important Notes
- KQL is case-insensitive.
- It does not support regex (use Lucene instead for that).
- It works only on filterable fields.
While KQL provides powerful query capabilities within Kibana, monitoring the health and performance of the Elasticsearch cluster itself requires specialized tooling. Pulse complements Kibana by providing AI-powered cluster monitoring, automated health assessments, and proactive alerting—helping you catch performance issues before they affect your dashboards and users.
