Elasticsearch query DSL

Kibana accepts Lucene query syntax or Elasticsearch query DSL for querying through the index. It also supports the new Kuery language, but for that we need to enable it by clicking on Management and then on Advanced Settings. On the Advanced Settings page, we have the following two options:

• Set search:queryLanguage:switcher:enable to true
• Set the default language to search:queryLanguage 

Now, we have Packetbeat data in the Elasticsearch index, which we can use to get the answers for our questions. So, let's say we want to check what is happening on a certain port on the server. We can track it using the search box:

source.port:80

If we want to get only the records that have the source port as 80 and the transport type is tcp, we can modify the query and join both conditions with AND to filter out the result:

source.port:80 AND transport:tcp

The following screenshot shows the result of the filter option, source.port:80, through which we are getting the records where the source port number is 80:

In the previous screenshot, we can see the search criteria as source.port:80, and after searching, the result has been highlighted with the search value. By combining the search criteria with AND/OR, we can get more relevant results and drill down into the data. When we submit the search request, the document table, histogram, and field lists are updated as per our search results. After searching, the total number of matching documents is shown on the top part of the page as a number of hits. We have 350 hits.

Document listing is shown in reverse chronological order, which means that the newest document is first on the listing. We can change this by clicking on the up/down arrows in front of the time column in the document display.