Kibana Query Language (KQL) Reference¶

The Kibana Query Language (KQL) is a simple text-based query language for filtering data in Kibana. You can use KQL to search for logs by message, by field, or by a combination of both.

Operators¶

Operator	Description
`: *`	The `: ` operator is used to search for logs where field exists. For example, `message: ` searches for logs with a message.
`:`	The `:` operator is used to search for logs by field. For example, `message: "my message"` searches for logs with the message "my message".
`>`, `<`	The `>` and `<` operators are used to search for logs with a field value greater than or less than a specified value. For example, `level: >"ERROR"` searches for logs with a level greater than "ERROR".
`AND`	The `AND` operator is used to combine multiple conditions. For example, `message: "my message" AND level: "ERROR"` searches for logs with the message "my message" and the level "ERROR".
`OR`	The `OR` operator is used to combine multiple conditions. For example, `message: "my message" OR level: "ERROR"` searches for logs with the message "my message" or the level "ERROR".
`NOT`	The `NOT` operator is used to negate a condition. For example, `message: "my message" AND NOT level: "ERROR"` searches for logs with the message "my message" and not the level "ERROR".

Common fields¶

The following fields are common to all logs and can be used in your KQL query:

@timestamp - The timestamp of the log event.
application - The application the log event originated from.
cluster - The cluster the log event originated from.
container - The container the log event originated from.
host - The host the log event originated from.
level - The log level of the log event.
message - The log message itself.
namespace - The namespace the log event originated from.
pod - The pod the log event originated from.
team - The team who owns the application the log event originated from.

Example queries¶

Query	Description
`message: "my message"`	Search for logs with the message "my message"
`message: "my message" AND level: "ERROR"`	Search for logs with the message "my message" and the level "ERROR"
`message: "my message" OR level: "ERROR"`	Search for logs with the message "my message" or the level "ERROR"
`message: "my message" AND NOT level: "ERROR"`	Search for logs with the message "my message" and not the level "ERROR"
`message: "my message" AND level: "ERROR" AND NOT level: "WARN"`	Search for logs with the message "my message" and the level "ERROR" and not the level "WARN"
`message: "my message" AND level: "ERROR" OR level: "WARN"`	Search for logs with the message "my message" and the level "ERROR" or the level "WARN"