Lucene Cheat Sheet

Apache Lucene is a search library used by the popular Kibana and OpenSearch Dashboards projects.

While both projects have their own DSLs for searching¹, they also support Lucene as a fallback.

There are often useful dashboard queries that can only be performed by dropping down to Lucene.

Checking if a field doesn’t exist

SYNTAX:  !_exists_:<field>
EXAMPLE: !_exists_:http.status
NOTES:   Only matches if a key doesn't exist. Will not find fields that are empty or set to nil values.

Checking if a field does exist

SYNTAX:  _exists_:<field>
EXAMPLE: _exists_:http.header.user_agent
NOTES:   Empty or nil values will still match. Only matches if a key is missing entirely.

Finding text “similar” to existing fields (ie; levenshtein distance)

SYNTAX:  <query>~
EXAMPLE: awetome~
NOTES:   This example would find documents containing "awesome" and other variations.

Footnotes

1. Kibana Query Language (KQL) for Kibana and Dashboards Query Language (DQL) for Opensearch Dashboards ↩