ML
Kibana

KQL vs Lucene: Query Syntax You Can Actually Reason About

KQL is friendlier, Lucene is more powerful. Use the right one for the right job — and stop confusing the two.

August 28, 20256 min readKibanaSearch

Kibana lets you toggle between KQL and Lucene in the query bar. The toggle is small and the difference is big.

KQL in 90 seconds

  • Field names without quotes: host.name : web-01.
  • Boolean words: and, or, not (case-insensitive).
  • Wildcards at the end: host.name : web-*. Leading wildcards are off by default for performance.
  • Range: response.bytes > 1024.
  • Nested fields: user.roles : "admin".

What KQL can't do

Regular expressions, proximity queries, boosting. If you need any of those, switch to Lucene:

message: /error\s+5\d\d/
message: "timeout exceeded"~5
title: war^2 peace^0.5

Gotchas

  1. Analysed vs keyword. status : "Active" on an analysed field searches the token stream, which is lowercased. Usually you want status.keyword : "Active".
  2. Phrase match. KQL message : "connection reset" is a phrase search. Without quotes, it's two OR'd tokens.
  3. Missing fields. not status : "ok" also excludes documents without status. Use status : * to require presence.

Filters vs the query bar

A saved filter pill is composable across dashboards and is cached by Elasticsearch's filter cache. Prefer pills for anything you want to reuse; keep the query bar for exploration.

SharePostLinkedIn

Reader Discussion

6 replies// weighed in

TopNewestAuthor
Add to the thread
Disagree, agree harder, or share your own experience…
Email instead →markdown okbe kind
  1. Fatima Al-Zahra· Security EngineerStory

    DLS/FLS is so under-rated. We were 3 sprints into building a custom tenancy proxy when someone surfaced these features in a brown bag. Cancelled the project. Saved an entire quarter of work.

    Sep 01, 2025·4 days later
  2. Takeshi Mori· PlatformAgrees

    the 'space membership + role + ES privilege' three-way alignment is the source of every "why does this dashboard return zero hits" ticket I've ever closed. should be a chart in onboarding.

    Sep 02, 2025·5 days later
  3. Evi Papadopoulou· Tech LeadFrom experience

    canvas is great until someone makes a 47-element dashboard and the page hangs for 8s. happy mediums exist somewhere between "4 KPI tiles" and "art project". still love it for exec readouts though.

    Sep 03, 2025·6 days later
  4. Clara Jensen· SREAgrees

    splitting on-call vs fyi connectors is one of those changes that pays for itself in two weeks and you spend the next two years wondering how you ever lived without it. people stopped muting #alerts. that's the metric.

    Aug 30, 2025·2 days later
  5. Minh Vũ🇻🇳 Đà Nẵng· DevOpsFrom experience

    rules-as-code đúng. team mình từng có 247 rules, không ai biết ai tạo, ai sửa, half of them duplicate. export ra git, code review, blame là biết ai phá. fix overnight, kg ai phàn nàn.

    Aug 31, 2025·3 days later
  6. Isabella Costa· Junior EngineerKind words

    saved this. sharing at standup tomorrow — we've had exactly this problem for 2 sprints and nobody on the team had framed it this way 🙏

    Aug 30, 2025·2 days later

Worked on something similar? Email ducminhldm@gmail.com — I read every one. The good ones become future posts.

Comments seeded · live discussion via email

More from this topic

Browse all →

Discover, Lens, TSVB: Which Kibana Visualisation Should You Use?

Kibana ships three overlapping editors. The differences matter — pick wrong and you hit a ceiling three weeks in.

Index Patterns, Data Views, and Runtime Fields

Kibana's data model is three layers. Confusing them is how you end up with dashboards that look right and count wrong.

Kibana Alerting: Rules, Connectors, and the Noise Problem

Alerts are only useful if they wake people up for real problems. Here's how to build that with Kibana's rules engine.