Skip to content

SurendraTamang/kql-syntax-notes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
README.md
README.md
 
 

Repository files navigation

🧠 Kibana Query Language (KQL) Cheat Sheet

KQL (Kibana Query Language) is a powerful and user-friendly query syntax for searching and filtering logs and events in Kibana. This cheat sheet covers the most common syntax patterns you'll use.

🔹 1. Basic Query

KQL uses the field:value format.

Examples:

status:200
user.name:"john"
geo.country_name:"Germany"

Use quotes for values with spaces or special characters.

🔹 2. Logical Operators

You can combine multiple conditions with the following logical operators:

  • AND — both conditions must be true
  • OR — at least one must be true
  • NOT — exclude a condition

Examples:

status:404 AND extension:"jpg"
status:200 OR status:201
NOT geo.country_name:"Germany"

You can also chain multiple:

status:404 OR status:500 OR status:503

🔹 3. Wildcards

Use wildcards to do partial or fuzzy matches:

  • * — matches any number of characters
  • ? — matches a single character

Examples:

user.name.keyword:jo*
extension:jp?
url.path.keyword:/products/*

Note: Wildcards work only on fields that are keyword or not analyzed.

🔹 4. Range Queries

You can filter numeric and date fields using ranges.

Numeric Ranges:

bytes > 1000
status:[200 TO 299]
response_time >= 500

Date Ranges:

@timestamp > "2024-01-01T00:00:00Z"
@timestamp:[now-7d TO now]

Use the time picker in Kibana UI to complement timestamp queries.

🔹 5. Field Existence

Check whether a field exists (or not):

_exists_:field_name
NOT _exists_:field_name

Examples:

_exists_:response_time
NOT _exists_:parsed.URL

🔹 6. Grouping Conditions

Use parentheses to group expressions and control evaluation order.

Example:

(status:404 OR status:500) AND extension:"html"

Without parentheses, the default precedence might lead to unexpected results.

🔹 7. Escaping Special Characters

Escape characters like :, ", /, etc. using a backslash (\).

Example:

url:"https:\/\/example.com\/home"

You typically need escaping only in literal strings or exact matches.

🔹 8. Exact Match Using .keyword Fields

For exact string matching, use .keyword fields. These are un-analyzed and return exact values.

Examples:

user.name.keyword:"Alice Smith"
parsed.URL.keyword:*example.com*
logLevel.keyword:"ERROR"

Without .keyword, Kibana might do full-text search instead of exact match.

🧪 Practice Queries

Here are some useful examples you can try:

1. Logs with status code 500 and above:

status >= 500

2. Jobs related to a domain:

parsed.URL.keyword:*nexxt.com*

3. Documents where response_time is missing:

NOT _exists_:response_time

4. All logs related to admin users:

user.role:"admin"

5. Events in the last 24 hours with errors:

@timestamp > now-24h AND logLevel.keyword:"ERROR"

✅ KQL Tips

  • KQL is case-insensitive for field names, but values may be case-sensitive.
  • Use .keyword fields when matching exact strings.
  • KQL does not support regex — if you need regex, switch to Lucene query syntax in the Kibana search bar.
  • The time filter in the Kibana UI always affects your search results — set it to the appropriate range (Last 15 minutes, Last 7 days, Last year, etc.).
  • If you don’t know the exact field name, use Kibana’s field list on the left sidebar or start typing — it often auto-suggests field names and values.

Happy querying! 🚀

About

Notes and cheatsheets for Kibana Query

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors