Skip to content

Using Lucene Query Syntax

If you're storing data in Elasticsearch, you need to use Lucene Query Syntax to query data in TeskaLabs LogMan.io.

These are some quick tips for using Lucene Query Syntax, but you can also see the full documentation on the Elasticsearch website, or visit this tutorial.

You might use Lucene Query Syntax when creating dashboards, filtering data in dashboards, and when searching for logs in Discover.

Basic query expressions

Search for the field message with any value:

message:*

Search for the value delivered in the field message:

message:delivered

Search for the phrase not delivered in the field message:

message:"not delivered"

Search for any value in the field message, but NOT the value delivered:

message:* -message:delivered

Search for the text delivered anywhere in the value in the field message:

message:delivered*
This could return results including: 
message:delivered
message:not delivered
message:delivered with delay

Note

This query would not return the same results if the specified text (delivered in this example) was only part of a word or number, not separated by spaces or periods. Therefore, the query message:eliv, for example, would not return these results.

Search for the range of values 1 to 1000 in the field user.id:

user.id:[1 TO 1000]

Search for the open range of values 1 and higher in the field user.id:

user.id:[1 TO *]

Combining query expressions

Use boolean operators to combine expressions:

AND - combines criteria

OR - at least one of the criteria must be met

Using parentheses

Use parentheses when mutliple items need to be grouped together to form an expression.

Examples of grouped expressions:

Search for logs from the dataset security, either with an IP address containing 123.456 and a message of failed login, or with an event action as deny and a delay greater than 10:

event.dataset:security AND (ip.address:123.456* AND message:"failed login") OR
(event.action:deny AND delay:[10 TO *])

Search a library's database for a book written by either Karel Čapek or Lucie Lukačovičová that has been translated to English, or a book in English that is at least 300 pages and in the genre science fiction:

language:English AND (author:"Karel Čapek" OR author:"Lucie Lukačovičová") OR
(page.count:[300 TO *] AND genre:"science fiction")