Kibana queries and filters

Location

Discover page.

Basic Syntax

The search field on the discover page provides a way to query in a selected time frame.
And we have a filter field to apply boolean operators, wildcards, and field filtering.
Example : if the document contains a http.response.status field, we could filter on the NOT FOUND error response, with http.response.status_code: 404.

search in any field or a specific field

To search in any field, just we don’t prefix the search.
Example :
redis nginx http
To search on a specific field, we prefix it in the search.
Example :
message:redis nginx http

Words or Phrase search

By default Kibana search words and not phrase. It means that any words matching in the search field will produce a match result.
Example : the filter message:HTTP/1.1 404 :
returns any document where message contains the word HTTP/1.1 or 404.
To search a phrase, that is the entire input we need to enclose it with «  ».
message:"HTTP/1.1 404" :
returns any document where message contains the expression « HTTP/1.1 404 ».

Case search

By default, fields stored with the text type are insensitive-case search.

Logic Operator

Logic AND :
message:http AND host:*evil*

Logic OR :
message:http OR host:*evil*

Negation :
NOT message:http