Elasticsearch query string/Lucene query

This provides the ability to perform various types of queries ranging from simple to complex queries that adhere to the Lucene query syntax. In the query bar, by default, KQL will be the query language. Go ahead and disable it as shown in the following screenshot. Once you disable it, KQL changes to Lucene in the query bar, as follows:

Let's see some examples:

Free Text search: To search for text present in any of the fields, simply enter a text string in the query bar:

When you enter a group of words to search for, as long as the document contains any of the words, or all or part of the words in any order, the document is included in the search result.

If you are doing an exact phrase search, that is, the documents should contain all the words given the search criteria, and the words should be in the same order, then surround the phrase with quotes. For example, file logstash or files logstash.

Field search: To search for values against a specific field, use the syntax field: value:

Boolean search: You can make use of Boolean operators such as AND, OR, and - (Must Not match) to build complex queries. Using Boolean operators, you can combine the field: value and free text as well.

Must Not match: The following is a screenshot of a Must Not operator with a field:

The following is an example of a Must Not operator with free text:

There should be no space between the - operator and the search text/field.

Grouping searches: When we want to build complex queries, often, we have to group the search criteria. Grouping both by field and value is supported, as shown in the following screenshot:

Range search: This allows you to search within a range of values. Inclusive ranges are specified with square brackets—for example, [START_VALUE TO END_VALUE], and exclusive ranges with curly brackets—for example, { START _VALUE TO END_VALUE }. Ranges can be specified for dates and numeric or string fields, as follows:

The TO operator is case-sensitive and its range values should be numeric values.

Wildcard and Regex search: By using the * and ? wildcards with search text, queries can be executed; * denotes zero or more matches and ? denotes zero or one match, as shown in the following screenshot:

Wildcard searches can be computationally expensive. It is always preferable to add a wildcard as a suffix rather than a prefix of the search text.

Like wildcards, regex queries are supported too. By using slashes (/) and square brackets ([]), regex patterns can be specified. But be cautious when using regex queries, as they are very computationally expensive.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset