0

I am trying to convert the below ES query to Kibana lucene query but I dont understand the basics, unable to find the examples too.

{
    "query": {
        "bool": {
            "must": [{
                "query_string": {
                    "query": "(\"/xyz\") AND (\"POST\") AND (\"GET\")",
                    "analyze_wildcard": false,
                    "lowercase_expanded_terms": false
                }
            }, {
                "match_phrase": {
                    "source": {
                        "query": "/var/log/nginx/access.log"
                    }
                }
            }, {
                "match_phrase": {
                    "response": {
                        "query": 200
                    }
                }
            }, {
                "range": {
                    "status_code": {
                        "gte": 400,
                        "lt": 599
                    }
                }
            }, {
                "range": {
                    "@timestamp": {
                        "gte": "now-24h",
                        "lte": "now",
                        "format": "epoch_millis"
                    }
                }
            }],
            "must_not": []
        }
    }
}

All I have done is source:"/var/log/nginx/access.log" AND "(\"/xyz\") AND (\"POST\") AND (\"GET\")" AND response:200 AND status_code:[400 - 599] which is not complete or correct. I am stuck here. Any help please? Thanks

san1512
  • 914
  • 1
  • 9
  • 16

1 Answers1

0

You can try below query (I have justed created query but not tested as sample data is not available):

(xyz and POST and GET) and (source:"/var/log/nginx/access.log") and response:200 and (status_code>=400 and status_code<=599)

You can check this documentation for more details about KQL.

Sagar Patel
  • 4,993
  • 1
  • 8
  • 19