Skip to main content
Skip table of contents

Searching in the Visualizer

This is a focused guide or ‘cheat sheet’ for searching in the Visualizer. More documentation can be found at https://www.elastic.co/guide/en/kibana/6.8/search.html

When searching, there are usually many ways of achieving the same result. You can use these search types individually or in combination with other search types (chaining).

Default fields that are searchable

The following fields are available to search within a typical file system index.

Index Field

Field Type

creationTimeUtc
(Created Date & Time)

Date/Time

lastWriteTimeUtc
(Last Modified Date & Time)

Date/Time

Extension

Text String

length
(size in bytes)

Number

name
(filename)

Text String

parent
(Parent Folder)
Note: if you use a backslash “ \ ” in your search, you will need to use two “ \\ “ 

Text String

path
(File Path)
Note: if you use a backslash “ \ ” in your search, you will need to use two “ \\ “ 

Text String

fullText
(Text in Document if available)

Text String

Free Text Search

Free text search will use the information entered and match against any indexed field (name, path, creation date, etc). If more than one word is entered, it will search each word as if there was an OR statement in between.

Examples:

Input:

ACME

Will match: ​Any file that contains the word acme.

  • acme.txt

  • Acme.docx

  • We are ACME corp.pptx

Will NOT match:

  • ProdAcme.txt

Input:

ACME Corp

Will match: ​Any file that contains either of the words acme or corp.

  • acme.txt

  • corp.docx

  • We are ACME corp.pptx

Will NOT match:

  • ACE CO.txt

Search for a specific value in an indexed field 

You can limit your search to only look at one field for information. Prefix the search with the name of the field you want to search, followed by a colon ( : ) and the term you want to find in that field.

Examples:

Find any PDF files: 

extension:pdf

Limit your search to file names:

name: quarterly

Limit your search to text in a document:

fullText:ACME

Exact Search (aka match phrase)

Wrapping your search in “double-quotes” will search for that term exactly. This can be combined with other search methods (free text, specific value in indexed fields, etc.) to enhance the accuracy of your search. This is especially useful when searching for terms that contain a space.

Examples:

Find a specific file name: 

name: "ACME corp dress code 2019.docx"

Find all files with a term (containing spaces)

"accounts receivable"

Will match: Any file with the term “accounts receivable” (space included)

  • 2019 accounts receivable.docx

  • \\server\share\2020 accounts receivable\June\123.xlsx

  • Within the fullText of a file:

    • “…Lorem ipsum dolor sit amet, consectetur adipiscing elit. Praesent ut sapien a purus rhoncus commodo nec eget orci. Accounts receivable Nullam placerat, orci eu fermentum varius, lectus neque semper eros, nec interdum. …”

Will NOT match:

  • 2019accountsrecevable.docx

  • \\server\share\accounts\receivable\123.xlsx

Date Search

Searching by date needs to be formatted as:

  • yyyy-mm-dd

  • yyyy-mm

  • yyyy

You can also use date math to enhance your search. Using the word “now” will use your current server time. You can then add math operators to set a range:

  • < Less-than

  • > Greater-than

  • + Plus

  • - Minus

  • = Equal-to

Then specify the number of seconds, minutes, hours, days, weeks, months, and years:

  • y Years (lowercase)

  • M Months (uppercase)

  • w Weeks (lowercase)

  • d Days (lowercase)

  • H Hours (uppercase)

  • m Minutes (lowercase)

  • s Seconds (lowercase)

Examples:

Find files with a created date earlier than now minus one year:

creationTimeUtc: <now-1y

If your current date is September 19th, 2020 at 11:00 am, this would show files with a create date earlier than September 19, 2019, at 11:00 am. 

Find files with a last modified date of 2015 or later

lastWriteTimeUtc: >2015

Find files with a creation date of July 18th, 2019

creationTimeUtc: 2019-07-18

Find files with created date and time within the last month

creationTimeUtc: >=now-1M

Search for a Range of Numerical / Time / Date Values

To search a range of numeric values, use the brackets range syntax [start_value TO end_value].

Examples:

Find any files with a size range of 1 MB to 10 MB (in bytes): 

length: [1048576 TO 10485760]

Find files with a last modified date from Janurary 1st 1991 to Janurary 1st 2020: 

lastWriteTimeUtc: [1991-01-01 TO 2020-01-01]

Find files with a created date from Janurary 1st 1991 to Janurary 1st 2020:

creationTimeUtc: [1991-01-01 TO 2020-01-01]

Boolean Operators

A search for “quick brown fox” will find any document that contains one or more of quick or brown or fox. The preferred operators are + (this term must be present) and - (this term must not be present). Though the use of AND, OR, NOT is perfectly acceptable for most use cases.

Example:

quick brown +fox -news

states that:

  • fox must be present

  • news must not be present

  • quick and brown are optional — their presence increases the relevance

The familiar boolean operators AND, OR and NOT are also supported but beware that they do not honour the usual precedence rules, so parentheses should be used whenever multiple operators are used together. For instance, the previous query could be rewritten as:

((quick AND fox) OR (brown AND fox) OR fox) AND NOT news

Regex

Regex-based searched requires knowledge of how Regex works. To use regex, you must wrap your search in forward-slashes /../

There are some limitations of Regex in Elasticsearch/Kibana that should be reviewed here: https://www.elastic.co/guide/en/elasticsearch/reference/6.8//query-dsl-regexp-query.html#regexp-syntax

If you are not able to find the file(s), you can try using the tokenized keywords for the field by adding .keyword to the field name

<fieldName>.keyword

Replacing <fieldName> with the name of the field you want to search within.

Examples:

To find all files that have the term 2020, 2021, 2022

/202[0-2]/

Wildcards

Wildcards can be used for searching to account for some variance. Wildcards use * and ? as operators in your query string.

Examples:

Symbol

Use

*

Matches the word and any characters that come after it

ex. Window*

Will match:

  • Window

  • Windows

  • Windowsarecool

Will NOT match:

  • Widow

  • Widows

?

Wildcard for one letter

ex. Window?

Will match:

  • Windows

  • Windowe

  • Windown

Will NOT match:

  • Window

  • Windot

Fuzzy Search

Fuzzy search or ‘Fuzziness’ is used when trying to find similar terms that may have some variation (inserts, deletion, substitution). Fuzzy uses the Damerau–Levenshtein distance to find all terms similar to the term searched for.

From: https://www.elastic.co/guide/en/elasticsearch/reference/6.5/query-dsl-query-string-query.html#_fuzziness

This uses the Damerau-Levenshtein distance to find all terms with a maximum of two changes, where a change is the insertion, deletion or substitution of a single character, or transposition of two adjacent characters.

The default edit distance is 2, but an edit distance of 1 should be sufficient to catch 80% of all human misspellings. It can be specified as:

CODE 
quikc~1

Examples:

Input:

test~

Will Match:

  • test.txt

  • tets.txt

Will NOT match:

  • sets.txt

  • etes.txt

  • tester.txt

  • testing.txt

  • tetris.txt

Input

test~3

Will match

  • test.xlsx

  • etes.docx

  • tets.txt

  • stet.pptx

  • txt.txt

  • tester.txt

Will NOT match

  • testing.docx

  • tetris.docx

  • tutser.pptx

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close