Kibana: AND, OR, NOT – Query Examples

Kibana Query Language (KQL) supports boolean operators AND, OR and NOT (case insensitive).

They are used as conjunctions to combine or exclude keywords in Kibana search queries, resulting in more focused and productive results.

In this note i will show some examples of how to use boolean operators AND, OR and NOT in Kibana search queries.

Cool Tip: The wildcard operators (* and ?) in Kibana search queries! Read more →

Kibana – AND, OR, NOT

To query documents where responseCode is 200 or statusMessage is OK, or both:

responseCode:200 or statusMessage:"OK"

To query documents where responseCode is 200 and statusMessage is OK:

responseCode:200 and statusMessage:"OK"

To query documents where responseCode is 301 or 302:

responseCode:(301 or 302)

Precedence: By default, AND operator has a higher precedence than OR, but this can be overriding by grouping the operators in parentheses.

To query documents where responseCode is 200 and statusMessage is OK, or statusMessage is NOK and responseCode is anything:

responseCode:200 and statusMessage:"OK" or statusMessage:"NOK"

To query documents where responseCode is 200 and statusMessage is either OK or NOK:

responseCode:200 and (statusMessage:"OK" or statusMessage:"NOK")

To query documents where responseCode is not 200:

not responseCode:200

To query documents where responseCode is 200 but statusMessage is not OK or NOK:

responseCode:200 and not (statusMessage:"OK" or statusMessage:"NOK")

To query multi-value fields that contain all listed values:

tags:("dev" and "reviewed" and "merged")