image_pdfimage_print

We have discussed at length how to query ElasticSearch with CURL. Now we show how to do that with Kibana.

You can follow this blog post to populate your ES server with some data.

Using JSON
JSON queries (aka JSON DSL) are what we use with curl. But you can use those with Kibana too. It will not work with aggregations, nested, and other queries.

In using JSON, difference is that you only pass in the query object. So for this curl query:

{"query":{"match":{"geoip.country_name":"Luxembourg"}}}

You would paste in only this portion in Kibana.

{"match":{"geoip.country_name":"Luxembourg"}}

Entering Queries in Kibana
In the Discovery tab in Kibana, paste in the text above, first changing the query language to Lucene from KQL, making sure you select the logstash* index pattern. We discuss the Kibana Query Language (KBL) below.

If you forget to change the query language from KQL to Lucene it will give you the error:

Discover: input.charAt is not a function. (In 'input.charAt(peg$currPos)', 'input.charAt' is undefined)

The easiest way to enter the JSON DSL query is to use the query editor since it creates the query object for you:

Save the query, giving it some name:

Kibana Query Language (KBL) versus Lucene
You can use KBL or Lucene in Kibana. They are basically the same except that KBL provides some simplification and supports scripting.

Here are some common queries and how you do them in each query language.

KBL Lucene Explanation
request:”/wordpress/” request:”/wordpress/” The colon (:) means equals to.

Quotes mean a collection of words, i.e. a phrase.

request:/wordpress/ request:/wordpress/ Do don’t need quotes for one word.
request:/wordpress/ request:/wordpress/ Do don’t need quotes for one word.
request:/wordpress/ and response:404 request:/wordpress/ and response:200 for KBL you have to explicitly put the boolean operator. For Lucene the operator is not recognized as an operator but as a string of text unless you use write it in capital letters.
wordpress wordpress Matches based on any text (wordpress in this example) in the document and not a specific field.
200 or 404 200 404 adding the word or to Lucene would also include text containing the string “or.” So leave it off or use capital OR.
200 and 404 200 AND 404 Use uppercase with Lucene for logical operators.
geoip.country_name: “Luxembourg” {“match”:{“geoip.country_name”: “Luxembourg”}} Lucene supports JSON DSL query language, as we illustrated above
response:>=200 and response:< =404 response:[200 TO 404] range query
kilobytes > 1 not supported Scripted field, where kilobytes is:

if (doc[‘bytes’].size()==0) { return 0;
}

return doc[‘bytes’].value / 1024;

Wikibon: Automate your Big Data pipeline

Learn how data management experts throughout the industry are transforming their Big Data infrastructure for maximum business impact.
Download Now ›
Last updated: 07/18/2019

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

About the author

Walker Rowe

Walker Rowe

Walker Rowe is a freelance tech writer and programmer. He specializes in big data, analytics, and programming languages. Find him on LinkedIn or Upwork.