Skip to content

Using Lucene Query Syntax

To query data from Discover screen in TeskaLabs LogMan.io, use Lucene Query Syntax.

These are some quick tips for using Lucene Query Syntax, but you can also see the full documentation on the Elasticsearch website, or visit this tutorial.

You might use Lucene Query Syntax when creating dashboards, filtering data in dashboards, and when searching for logs in Discover.

Basic query expressions

Search for the field message with any value:

message:*

Search for the value delivered in the field message:

message:delivered

Search for the phrase Email was delivered in the field message:

message:"Email was delivered"

Search for any value in the field message, but NOT the value delivered:

message:* -message:delivered

Search for the text delivered anywhere in the value in the field message:

message:"*delivered*"

This could return results including:

message: delivered
message: not delivered
message: delivered with delay

Tip

We recommend using quotes "..." around your search terms, especially when searching for phrases or values containing spaces, special characters, or IP addresses. Quoting ensures that the query matches the exact phrase or value as intended, and helps avoid unexpected results due to operator precedence or tokenization.

Elasticsearch types

Elasticsearch stores data in fields with specific types, such as keyword (for exact text values), number (for integers or floating-point numbers), ip (for IP addresses), and geo_point (for geographic coordinates). The type of a field determines how you can query it.

  • keyword: Used for exact matches (e.g., event.outcome:success).
  • number: Supports range queries (e.g., source.port:[10000 TO 20000]).
  • ip: Used for IPv4 and IPv6 addresses. You can search for a specific IP or a range/subnet (e.g., source.ip: "192.168.1.0/24").
  • geo_point: Used for latitude/longitude coordinates (advanced queries).

The complete reference can be found here.

Querying numbers:

To search for a range of ports:

source.port:[10000 TO 20000]

Querying IP addresses:

To search for a specific IPv4 address:

source.ip: "192.168.1.10"

To search for an IPv4 address within a subnet (CIDR notation):

source.ip: "192.168.1.0/24"

To search for an IPv6 address within a subnet (CIDR notation):

source.ip: "2a01:9ce0:0:1:7ec2:55ff:fe25::/64"

Tip

Use tools like ip address guide to convert between IP address ranges and CIDR notation.

Combining query expressions

Use boolean operators to combine expressions:

AND - combines criteria

OR - at least one of the criteria must be met

Using parentheses

Use parentheses when multiple items need to be grouped together to form an expression.

Examples of grouped expressions:

Search for logs where either the dataset is linux and the source IP is in the subnet 107.10.0.0/28, or the destination IP is in the same subnet and the event outcome is "failure":

(event.dataset:"linux" AND source.ip:"107.10.0.0/28") OR
(destination.ip:"107.10.0.0/28" AND event.outcome:"failure")

Real-world example:

Search for logs where the dataset is linux and the source IP is in the subnet 10.0.0.0/24, or the destination IP is in the same subnet and the event action is "blocked":

(event.dataset:"linux" AND source.ip:"10.0.0.0/24") OR
(destination.ip:"10.0.0.0/24" AND event.action:"blocked")