Response :200 will match documents whose response field matches a value of 200.
Using quotation marks will initiate a phrase search. For example, message:”Quick Brown Fox “will search for the phrase “Quick Brown fox” in the message field. Without quotes, your query will decompose into tokens through the configured parser of the message field, and will match the documents containing these tokens regardless of the order in which they appear.
Response :200 and extension: PHP will match the document that the response matches 200 and the extension matches PHP.
By default, and takes precedence over OR.
Response :200 and extension: PHP or extension: CSS will match a document with a response of 200 and extension PHP, or a document with extension CSS and response of any content.
Response :200 and (extension: PHP or extension: CSS) will match the document with a response of 200 and the extension is PHP or CSS.
Search for multiple values in a single field.
Response :(200 or 404) search for documents whose response field matches 200 or 404. We can also search for documents that contain multi-valued fields containing a list of terms, such as tags:(success and info and Security)
Fields can be preceded by the inverted word not.
Not response:200 will match all documents whose response is not 200.
The whole group can also be reversed.
response:200 and not (extension:php or extension:css)
Similar to Lucene, bytes:>1000, but the colon is omitted in KQL: bytes >1000.
>, >=, <, <= are all valid range operators.
Wildcard query:
Machine. OS :win* will match documents where the machine. OS field starts with “win”, which will match values like “Windows 7” and “Windows 10”.
Wildcards also allow us to search multiple fields at once. This may come in handy when you have both text and keyword versions of the field. Let’s say we have the machine-.osand and machine-.os. keyword fields, and we want to check the term “Windows 10” at the same time. We can do this: “Machine. OS * : Windows 10”.
If a default field is not set, the terms will match all fields. For example, a query response:200 would search for the value 200 in the response field, but a query 200 would search for 200 in all fields in the index.