Show Menu
Cheatography

Kibana Search Tips Cheat Sheet by

Searching

Search Type
Example 1
Example 2
Keyword
usbstor
OR Keyword
usbstor OR device­classes
usbstor device­classes
AND Keyword
usbstor AND device­classes
NOT Keyword
NOT usbstor
Phrase*
"­/WI­NDO­WS/­sys­tem­32/­con­fig­/"
“WINDOWS system32 config”
Field Match
termna­me:­key­wordone
source­_sh­ort­:we­bhist
Exact Field Match**
parser.ra­w:"s­qli­te/­fir­efo­x_c­ook­ies­"
OR Term Search
source­_sh­ort­:(reg evt)
source­_sh­ort:reg source­_sh­ort:evt
Field Exists
_exist­s_:star
Field Missing
_missi­ng_­:star
Wildca­rds***
*.exe
*.ppt?
Regular Expres­sions
/doc([­mx]?)/
name:/­joh­?n(­ath­[oa]n)/
Fuzzy
svchost~
lsass~1
*Double quotes are required for phrase searching, single quotes do not work
**Not analyzed fields are case sensitive
***All­owing a wildcard at the beginning of a word (eg "­*in­g") is partic­ularly heavy, because all terms in the index need to be examined, just in case they match
Reference: https:­//w­ww.e­la­sti­c.c­o/g­uid­e/e­n/e­las­tic­sea­rch­/re­fer­enc­e/c­urr­ent­/qu­ery­-ds­l-q­uer­y-s­tri­ng-­que­ry.html

Analyzed vs Not Analyzed (.raw)

String (Not Analyzed)
"Set the shape to semi-t­ran­sparent by calling set_tr­ans­(5)­"
Standard Analyzed
set, the, shape, to, semi, transp­arent, by, calling, set_trans, 5
Above is how Elasti­csearch stores analyzed vs not analyzed strings for searching.
Not analyzed fields need to be searched as one phrase.
Analyzed fields can be searched using one or more of its sections.
See: https:­//w­ww.e­la­sti­c.c­o/g­uid­e/e­n/e­las­tic­sea­rch­/gu­ide­/cu­rre­nt/­map­pin­g-i­ntr­o.html

Analyzed vs Not Analyzed

Filters

           
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Windows IR Live Forensics Cheat Sheet