Kibana Query Language(KQL)

语法:

官方文档

If you’re familiar with Kibana’s old lucene query syntax, you should feel right at home with the new syntax. The basics stay the same, we’ve simply refined things to make the query language easier to use. Read about the changes below.

response:200 will match documents where the response field matches the value 200.

Quotes around a search term will initiate a phrase search. For example, message:"Quick brown fox" will search for the phrase "quick brown fox" in the message field. Without the quotes, your query will get broken down into tokens via the message field’s configured analyzer and will match documents that contain those tokens, regardless of the order in which they appear. This means documents with "quick brown fox" will match, but so will "quick fox brown". Remember to use quotes if you want to search for a phrase.

The query parser will no longer split on whitespace. Multiple search terms must be separated by explicit boolean operators. Note that boolean operators are not case sensitive.

response:200 extension:php in lucene would become response:200 and extension:php. This will match documents where response matches 200 and extension matches php.

We can make terms optional by using or.

response:200 or extension:php will match documents where response matches 200, extension matches php, or both.

By default, and has a higher precedence than or.

response:200 and extension:php or extension:css will match documents where response is 200 and extension is php OR documents where extension is css and response is anything.

We can override the default precedence with grouping.

response:200 and (extension:php or extension:css) will match documents where response is 200 and extension is either php or css.

A shorthand exists that allows us to easily search a single field for multiple values.

response:(200 or 404) searches for docs where the response field matches 200 or 404. We can also search for docs with multi-value fields that contain a list of terms, for example: tags:(success and info and security)

Terms can be inverted by prefixing them with not.

not response:200 will match all documents where response is not 200.

Entire groups can also be inverted.

response:200 and not (extension:php or extension:css)

Ranges are similar to lucene with a small syntactical difference.

Instead of bytes:>1000, we omit the colon: bytes > 1000.

>, >=, <, <= are all valid range operators.

Exist queries are simple and do not require a special operator. response:* will find all docs where the response field exists.

Wildcard queries are available. machine.os:win* would match docs where the machine.os field starts with "win", which would match values like "windows 7" and "windows 10".

Wildcards also allow us to search multiple fields at once. This can come in handy when you have both text and keyword versions of a field. Let’s say we have machine.os and machine.os.keyword fields and we want to check both for the term "windows 10". We can do it like this: `machine.os*:windows 10".

Terms without fields will be matched against the default field in your index settings. If a default field is not set these terms will be matched against all fields. For example, a query for response:200 will search for the value 200 in the response field, but a query for just 200 will search for 200 across all fields in your index.

Lucene Query Syntax

官方文档

Kibana’s legacy query language was based on the Lucene query syntax. For the time being this syntax is still available under the options menu in the Query Bar and in Advanced Settings.

The following are some tips that can help get you started.

  • To perform a free text search, simply enter a text string. For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.
  • To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
  • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
  • To specify more complex search criteria, you can use the Boolean operators ANDOR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

For more detailed information about the Lucene query syntax, see the Query String Query docs.

These examples use the Lucene query syntax. When lucene is selected as your query language you can also submit queries using the Elasticsearch Query DSL.

原文地址:https://www.cnblogs.com/panpanwelcome/p/11281792.html

时间: 2024-10-25 15:37:14

Kibana Query Language(KQL)的相关文章

hql(Hibernate Query Language)

1.Criteria查询对查询条件进行了面向对象封装,符合编程人员的思维方式,不过HQL(Hibernate Query Language)查询提供了更加丰富的和灵活的查询特性,因此Hibernate将HQL查询方式立为官方推荐的标准查询方式,HQL查询在涵盖Criteria查询的所有功能的前提下,提供了类似标准SQL语句的查询方式,同时也提供了更加面向对象的封装.完整的HQL语句形式如下: Select/update/delete-- from -- where -- group by --

Using databases and Structured Query Language (SQL)

//The code to create a database file and a table named Tracks with two columns in the database is as follows: 1 #!/usr/bin/python 2 import sqlite3 3 conn = sqlite3.connect('music.sqlite3') 4 cur = conn.cursor() 5 cur.execute('DROP TABLE IF EXISTS Tra

PL/SQL(Procedure Language &amp; Structured Query Language)

目前的PL/SQL包括两部分,一部分是数据库引擎部分:另一部分是可嵌入到许多产品(如C语言,JAVA语言等)工具中的独立引擎.可以将这两部分称为:数据库PL/SQL和工具PL/SQL. PL/SQL中的基本单位是块(Block),所有PL/SQL程序都是由块组成的.PL/SQL中的块由3部分组成:声明部分,程序代码.异常处理代码.如下: DECLARE  /* 声明部分: 在此声明PL/SQL用到的变量,类型及游标,以及局部的存储过程和函数 */ BEGIN /*  执行部分:  过程及SQL

HQL: The Hibernate Query Language

Chapter 14. HQL: The Hibernate Query Language 14.1. Case Sensitivity 14.2. The from clause 14.3. Associations and joins 14.4. Forms of join syntax 14.5. Referring to identifier property 14.6. The select clause 14.7. Aggregate functions 14.8. Polymorp

Hibernate Query Language查询:

Hibernate Query Language查询: Criteria查询对查询条件进行了面向对象封装,符合编程人员的思维方式,不过HQL(Hibernate Query Language)查询提供了更加丰富的和灵活的查询特性,因此Hibernate将HQL查询方式立为官方推荐的标准查询方式,HQL查询在涵盖Criteria查询的所有功能的前提下,提供了类似标准SQL语句的查询方式,同时也提供了更加面向对象的封装.完整的HQL语句形势如下: Select/update/delete-- fro

HQL(Hibernate Query Language)

1. NativeSQL > HQL > EJB QL(JP QL 1.0) > QBC(Query By Criteria) > QBE(Query By Example)2. 总结:QL应该和导航关系结合,共同为查询提供服务. 以下图为例: Category: 1 package com.bjsxt.hibernate; 2 3 import javax.persistence.Entity; 4 import javax.persistence.GeneratedValue;

PL/SQL : Procedural Language / Structual Query Language and it is an exrension to SQL.

SQL is not very flexible and it cannot be made to react differently to differing sutuations easily. In  SQL queries we normally tell database what we want but not tell it how to do it. SQL : give commands, commands complete with ; PL/SQL : follow the

常用HQL(Hibernate Query Language)查询

查询一个对象(实体类必须有一个不带参数的构造方法) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 @Test public void test01() {     Session session = null;     try {         session = HibernateUtil.openSession();         /**          * 对于HQL而言,都是基于对象进行查询的          */        

浅谈Hibernate--Hibernate查询(Query Language) (转)

1.查询对象:Query有org.hibernate.query和javax.persistence.query,用法如下 如果按条件查找 2.占位符:比如下面的例子:min 和:max,和query.setParameter(key,value); 链式的也可以,同时这里setParameter("","")是会自动设置参数的值,如果知道传入的类型可以setInteger.. 3.分页效果:通过query.setMaxResult(n).setFirstResul