Kibana Query Language (KQL) supports boolean operators AND
, OR
and NOT
(case insensitive).
They are used as conjunctions to combine or exclude keywords in Kibana search queries, resulting in more focused and productive results.
In this note i will show some examples of how to use boolean operators AND
, OR
and NOT
in Kibana search queries.
Cool Tip: The wildcard operators (*
and ?
) in Kibana search queries! Read more →
Kibana – AND, OR, NOT
To query documents where responseCode
is 200
or statusMessage
is OK
, or both:
responseCode:200 or statusMessage:"OK"
To query documents where responseCode
is 200
and statusMessage
is OK
:
responseCode:200 and statusMessage:"OK"
To query documents where responseCode
is 301
or 302
:
responseCode:(301 or 302)
Precedence: By default, AND
operator has a higher precedence than OR
, but this can be overriding by grouping the operators in parentheses.
To query documents where responseCode
is 200
and statusMessage
is OK
, or statusMessage
is NOK
and responseCode
is anything:
responseCode:200 and statusMessage:"OK" or statusMessage:"NOK"
To query documents where responseCode
is 200
and statusMessage
is either OK
or NOK
:
responseCode:200 and (statusMessage:"OK" or statusMessage:"NOK")
To query documents where responseCode
is not 200
:
not responseCode:200
To query documents where responseCode
is 200
but statusMessage
is not OK
or NOK
:
responseCode:200 and not (statusMessage:"OK" or statusMessage:"NOK")
To query multi-value fields that contain all listed values:
tags:("dev" and "reviewed" and "merged")
THANK YOU!!!!! I am so darn new to Kibana and Elastic’s documentation is clear as mud – this was so helpful!!!