Searching Data
To search data in Elasticsearch index or alias double-click the index or alias in the Elasticsearch tool window or open the console and write search request manually.
To execute the request click or press ⌃ ⏎. If the request succeeds the search response panel is shown.
Synchronizing request body
When you paginate, sort, filter data, show/hide fields using the actions toolbar your search request is correspondingly changed.
For example, when we sort by column author_id
the block "sort": [{"author_id": {"order": "asc"} }]
is added to request.
You can enable/disable updating the request in the editor with a toggle on the search response toolbar.
Filtering with Kibana Query Language
The Kibana Query Language (KQL) is a simple syntax for filtering Elasticsearch data using free text search or field-based search. KQL is only used for filtering data, and has no role in sorting or aggregating the data. KQL filter is able to suggest field names and operators as you type.
KQL filter adds additional filter
to your initial request. It also adds highlight
block to highlight the matched words in the response.
Term query
To query using exact search terms, enter the field name followed by :
and then the values separated by spaces:
message:why do you
To query for an exact phrase, use quotation marks around the values:
message:"why do you"
Field names are not required. Without field name, terms will be matched by the default fields in your index settings. To search across fields enter:
"why do you"
Boolean queries
KQL supports or
, and
, and not
.
By default, and
has a higher precedence than or
. To override the default precedence, group operators in parentheses.
These operators can be upper or lower case.
To match documents where author_id
is 77
but message
is not why
or what
enter:
author_id:77 and not (message:why or message:what)
Range queries
KQL supports >
, >=
, <
, and <=
on numeric and date types.
author_id >= 100 and author_id < 200
Date range queries
KQL supports date range queries
created_at < "2021-01-02T21:55:59"
Exist queries
An exist query matches documents that contain any value for a field:
message:*
Wildcard queries
Wildcard queries can be used to search by a term prefix or to search multiple fields.
To match documents where machine.os
starts with win
, such as windows 7
and windows 10
:
machine.os:win*
To match multiple fields:
machine.os*:windows 10
This syntax is handy when you have text and keyword versions of a field.
The query checks machine.os
and machine.os.keyword
for the term windows 10
.
Nested field queries
A main consideration for querying nested fields is how to match parts of the nested query to the individual nested documents. You can:
- Match parts of the query to a single nested document only. This is what most users want when querying on a nested field.
- Match parts of the query to different nested documents. This is how a regular object field works. This query is generally less useful than matching to a single document.
To match stores that have more than 10 bananas in stock:
items:{ name:banana and stock > 10 }
items
is the nested path. Everything inside the curly braces (the nested group) must match a single nested document.
The following subqueries are in separate nested groups and can match different nested documents:
items:{ name:banana } and items:{ stock:9 }
KQL documentation
For more details see the official KQL documentation.