preface

Earlier we talked about the ELK series of articles installation backup and recovery, let’s talk about how to search for the logs you want in Kibana, here are some common search methods, so that you can quickly locate the logs you want, so that you can further analyze the logs and solve the problem. So let’s go straight to enumeration.

Two, the use of steps

1. Text search

Just enter a text string. For example, if you are searching web server logs, you can type Safari to search all the fields of the term Safari

2. Search for specific fields

Prefix the value with the name of the field. For example, you can type Status :200 to find all entries that contain a value of 200 in the Status field. Examples are as follows:

  1. The status field contains active. The expression is status:active

  2. The title field contains quick or black. If the OR operator is omitted, the default operator is used. The expression is: title (quick OR black) OR title (quick black)

  3. The author field contains the exact phrase “Jack.” The expression is: author:”Jack”

  4. Entity class mixed query with multiple fields such as book.content, book.name, book.date containing quick or black(note we need to escape * with backslashes). The expression is:

book.*:(quick black)

  1. The title field has any non-null values. The expression is:_exists_:title

3. Wildcard search

Wildcard searches can be run on separate conditions, using? Replaces a single character, * replaces zero or more characters. The expression is: qu? Bla * ck. The only caveat is that wildcard queries can use a lot of memory and have very poor performance, considering how many queries you need to match the query string “A * B * C *”.

4. Regular expression search

Regular expressions can be done by wrapping query strings in forward and backward slashes (“/”), such as: name:/joh? N (ath (oa) n) /. See portal for more syntax

5. Fuzzy search

We can use the “~” operator to search for words that are similar to our search term, but not exactly similar, for example: quikc~ BRWN ~ foks~

6. Approximate search

Proximity queries allow specified words to be further apart or in a different order.

7. Range search

Ranges can be specified for date, number, or string fields. The inclusion range is specified with square brackets [minimum to maximum], and the exclusion range is specified with curly brackets {minimum to maximum}.

  1. In 2021, 24 hours a daydate:[2021-01-01 TO 2021-12-31]
  2. The Numbers 1 to 5count:[1 TO 5]
  3. The tag between alpha and omega does not include alpha and omegatag:{alpha TO omega}
  4. Numbers above 10count:[10 TO *]
  5. A date prior to 2021date:{* TO 2021-01-01}
  6. A number from 1 to but not including 5count:[1 TO 5}
  7. The following syntax can be used for unbounded ranges on one side:
	age:>10
	age:>=10
	age:<10
	age:<=10
Copy the code
  1. To combine upper and lower boundaries with simplified syntax, we use the and operator to join two clauses:
	age:(>=10 AND <20)
	age:(+>=10 +<20)
Copy the code

8. Keyword search

Use the keyword operator ^ to make one term more relevant than another. For example, if we want to find out all about cats, but we’re particularly interested in quick cat:

quick^2 cat

^ The default value is 1, but can be any positive floating-point number. Zero to one reduces the correlation. Can also be used for phrases or groups: “Jack”^2 (food)^4

9. Boolean operator search

By default, all terms are optional as long as one of them matches. A search for Foo bar baz will find any document that contains one or more foo or bar or baz. The preferred operators are +(this item must exist) and -(this item must not exist). Other terms are optional. For example, the query: quick, black + cat – news cat must be some news there is no quick AND black are optional, they are also increased correlation support familiar operators AND, OR AND NOT (also written as &&, | | AND!) . However, the effects of these operators may be more complex than they first appear. NOT before AND, which before OR. + AND – affect only items on the right side of the operator, AND AND OR can affect items on the left AND right ((quick AND cat) OR (brown AND cat) OR cat) AND NOT news

10. Group search

Multiple terms or clauses can be grouped together in parentheses to form a subquery. A combination of (Quick OR Brown) AND CAT searches can be used to target specific fields OR enhance the results of subqueries. status:(active OR pending) title:(full text search)^2

11. Reserved character query

\ + – = && | | >

12. Empty the query

If the query string is empty or contains only Spaces, the query generates an empty result set.

conclusion

Through some of the above operations to basically meet the needs of the work, the more important is to a set of combination and spirit and use. Practice more!