Regex Query Syntax Examples in Kibana

Using regular expressions (regex) in Kibana can enhance your ability to query and filter logs and data effectively. Kibana supports regex in its query DSL, particularly in the query_string and wildcard queries. Below are some examples of how to use regex queries in Kibana, including the syntax and explanations.

Example 1: Simple Regex Query

To find documents where the message field contains the word "error" followed by any characters:

{
  "query": {
    "regexp": {
      "message": ".*error.*"
    }
  }
}

Example 2: Match Specific Patterns

To match logs that start with "User" and end with a digit:

{
  "query": {
    "regexp": {
      "username": "User.*[0-9]$"
    }
  }
}

Example 3: Using Query String with Regex

Using the query_string syntax allows you to combine multiple criteria, including regex. This example retrieves logs where the status is either "success" or "error":

{
  "query": {
    "query_string": {
      "query": "status:(success OR error) AND message:/.*timeout.*/"
    }
  }
}

Example 4: Match Email Addresses

To find documents with a valid email format in the email field:

{
  "query": {
    "regexp": {
      "email": "^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\\\.[a-zA-Z]{2,}$"
    }
  }
}

Example 5: Using Wildcard Query with Regex-Like Patterns

You can also use wildcard queries, though they're not true regex. This example finds logs with request field values that start with "GET" and have any characters following:

{
  "query": {
    "wildcard": {
      "request": "GET*"
    }
  }
}

Example 6: Combine Regex with Other Filters

Combining regex with other filters is useful for more complex queries. This example finds logs where the ip_address matches a specific pattern and status is "failed":

{
  "query": {
    "bool": {
      "must": [
        {
          "regexp": {
            "ip_address": "^(192\\\\.168\\\\.1\\\\.[0-9]{1,3})$"
          }
        },
        {
          "term": {
            "status": "failed"
          }
        }
      ]
    }
  }
}

Example 7: Excluding Specific Patterns

To find logs where the message does not contain the word "debug":

{
  "query": {
    "bool": {
      "must_not": {
        "regexp": {
          "message": ".*debug.*"
        }
      }
    }
  }
}

Tips for Using Regex in Kibana

1. Performance Considerations: Regex can be resource-intensive, especially on large datasets. Use specific patterns to limit the number of matches.
2. Escape Special Characters: When writing regex, remember to escape special characters (e.g., . as \\\\.).
3. Test Your Queries: Use Kibana’s Dev Tools console to test and refine your regex queries before implementing them in visualizations or dashboards.

Conclusion

Using regex in Kibana allows for powerful querying capabilities, enabling you to filter and analyze your log data effectively. By leveraging the examples provided, you can craft regex queries tailored to your specific use cases, improving your data exploration and monitoring efforts.

Got an article suggestion? Let us know

Explore more

Kibana

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.