Menu
Kibana ver >= 7.0 offers KQL by default for the search dropdown but also supports what seems to be old Lucene syntax. Often it complains annoyingly that "You might be using Lucene but KQL is selected" when trying to search. Going to the suggested links:
I don't see any differences. What are the key differences between them? Can someone give query examples highlighting these differences?
505
Kibana Query Languageedit. The Kibana Query Language (KQL) is a simple syntax for filtering Elasticsearch data using free text search or field-based search. KQL is only used for filtering data, and has no role in sorting or aggregating the data. KQL is able to suggest field names, values, and operators as you type.
Lucene is a query language that can be used to filter messages in your PhishER inbox. A query written in Lucene can be broken down into three parts: Field The ID or name of a specific container of information in a database. If a field is referenced in a query string, a colon ( : ) must follow the field name.
Elasticsearch provides a full Query DSL (Domain Specific Language) based on JSON to define queries.
To use the Lucene syntax, open the Saved query menu, and then select Language: KQL > Lucene. To search for a range of values, use the bracketed range syntax, [START_VALUE TO END_VALUE] . For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499] .
The current documentation for KQL and Lucene query syntax shows the syntax of both for various types of queries. I will summarize the main differences:
It seems that KQL enables getting suggestions for fields, values and operators as you type your query, while this feature is not present when using Lucene. (This feature requires the “Basic Tier” or above.)
To find content where count is greater than or equal to 5: the KQL syntax is count:>=5, while the Lucene syntax is count:[5 TO *].
To find content where account_number is greater than or equal to 100, but less than 200: the KQL syntax is account_number:>=100 and account_number:<200, while the Lucene syntax is account_number:[100 TO 200}.
The KQL documentation outlines the Boolean operators or, and and not. The upper case versions (OR, AND and NOT) also work. The documentation specifies that and has a higher precedence over or, which is the usual operator precedence rule.
The Lucene documentation specifies the following:
The preferred operators are
+(this term must be present) and-(this term must not be present).
For example, brown +fox -news specifies that brown is optional, fox must be present, and news must not be present.
Lucene also supports AND, OR and NOT, but only in uppercase. So, if you try using and, it will be taken as the literal word. Also, Lucene supports &&, || and !. However, the documentation states that all of these operators do not honor the usual operator precedence rules, and advises the use of parentheses whenever multiple operators are used together.
To find documents that contain the field response: the KQL syntax is response:*, and the Lucene syntax is _exists_:response (response:* also works in Lucene, but the behavior if the value of the field is an empty string might be different).
For KQL, the documentation only mentions the * wildcard, which matches zero or more characters. There is no mention of ?, so I assume it does not exist. In Lucene, ? exists and matches a single character.
In KQL, escaping the wildcard character is never necessary when using it as a wildcard, so we can have something like book.*:(quick or brown). In Lucene, it seems that the wildcard needs to be escaped when used as part of the field name. The example given is book.\*:(quick OR brown).
The syntax for nested queries seems to be different as per the documentations.
The KQL documentation does not mention regular expressions, fuzzy search, nor boosting; so they are probably not supported. Lucene supports them.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
