Elasticsearch & Kibana v8 Search Cheat Sheet
Kibana Query Language (KQL)
| Task | Query |
|---|---|
| Find NGINX error log entries | event.dataset:*error |
| Return results for IP1 or IP2 using Free Text Search | `event.dataset : nginx.error and (46.231.239.5 |
| Find entries that don't specify a user agent | NOT user_agent.name : * |
| Find HTTP Status Codes that are not successful* | http.response.status_code > 299 |
* HTTP Response Codes
- Informational responses: 100 – 199
- Successful responses: 200 – 299
- Redirection messages: 300 – 399
- Client error responses: 400 – 499
- Server error responses: 500 – 599
| Task | Query |
|---|---|
| Get all NGINX connections that have an HTTP status code between 500 and 599 and originate in a specific region | source.geo.country_iso_code: RU and http.response.status_code >= 500 |
| Get all NGINX connections that originated from one of two locations | source.geo.country_iso_code: RU or source.geo.country_iso_code: CN |
| Check Zabbix-Agent Health Check | source.ip : 127.0.0.1 and traefik.access.user_agent.original : Zabbix 6.0.0beta2 |
| Task | Query |
|---|---|
| Search for a source by IP address | source.ip : 118.184.177.30 |
| Expand the IP range using CIDR notation | source.ip : 118.184.177.0/24 |
| Expand the IP range using CIDR notation | source.ip : 118.184.0.0/16 |
| Expand the IP range using CIDR notation | source.ip : 118.0.0.0/8 |
| Search for IPv6 ranges | source.ip : "fe80::/64" |
| Searching for nested values | data:{point1 > 100 and point2: 1} |
Lucene Query Language
Deactivate KQL in the Kibana Discover tab to activate the Lucene Query Syntax.
| Task | Query |
|---|---|
| Return results for IP1 or IP2 using Free Text Search | 61.231.239.5 45.201.198.232 |
| Return results for IP1 or IP2 using Free Text Search | `61.231.239.5 |
| Return results for an IP and a specific URL | 45.201.198.232 AND \/dr\/update_magento.php |
| Return results for an IP and a specific URL | 45.201.198.232 && "/dr/update_magento.php" |
| Return results for an IP and a specific URL | +45.201.198.232 +\/dr\/update_magento.php |
| Remove all health check requests from results | agent.name : ticketsystem NOT traefik.access.user_agent.original : "Zabbix 6.0.0" |
| Has a specific IP accessed without an error | +45.201.198.232 -error |
| Has a specific IP accessed without success | 45.201.198.232 NOT success |
| Has a specific IP accessed without success | 45.201.198.232 !success |
| Use grouped queries | (user_agent.version: <2.20 AND event.category: web) AND (agent.type: filebeat !agent.version: 7.9.0) |
| Use Proximity Search distance threshold when terms are separated | "forbidden 5.9.61.232" ~2 |
| Task | Query |
|---|---|
| Use Wildcards | agent.ephemeral_id:b59445f4-* |
| Inclusive Range Queries | user_agent.version:[1.0 TO 1.1] |
| Exclusive Range Queries | http.response.status_code:{299 TO 500} |
| Mixed Range Queries | {1.0 TO 1.1] |
| Use Wildcards with Range Queries | destination.port:[80 TO *] |
| Check if field Exists | _exists_ : agent.hostname |
| Check if field not Exists | NOT _exists_ : agent.hostname |
| Use Fuzzy Searches to get around typos or mal-formatted terms | url.path:\/16-mm-w-o-ir-filter-1523.ht~2 |
| Use Fuzzy Searches all sub-versions of an agent | agent.version:8.0~2 |
| Boost term weights | destination.port:(9200^9 OR 443) |
| Use Regex to find all single lower case characters and numbers from 0 to 9 | /[a-z0-9]/ |
| Regex for valid IPv4 addresses* | /(([0-2]*[0-9]+[0-9]+)\.([0-2]*[0-9]+[0-9]+)\.([0-2]*[0-9]+[0-9]+)\.([0-2]*[0-9]+[0-9]+))/ |
| Regex for valid, private IPv4 addresses | `/(^10.) |
| Regex to find all versions between 7 and 8 | agent.version:/[7-8]\.[0-9]\.[0-9]/ |
* The expressions above are not displayed correctly - check regexlib.com for Regex. Replace leading ^ and trailing $ with /