opensearch-docs-cn/_dashboards/dql.md

4.0 KiB

layout title nav_order
default Dashboards Query Language 99

Dashboards Query Language

Similar to the Query DSL that lets you use the HTTP request body to search for data, you can use the Dashbaords Query Language (DQL) in OpenSearch Dashboards to search for data and visualizations.

For example, if you want to see all visualizations of visits to a host based in the US, enter geo.dest:US into the search field, and Dashboards refreshes to display all related data.

Just like the query DSL, DQL has a handful of query types, so use whichever best fits your use case.

This section uses the OpenSearch Dashboards sample web log data. To add sample data in Dashboards, log in to OpenSearch Dashboards, choose Home, Add sample data, and then Add data.


Table of contents

  1. TOC {:toc}

Terms query

The most basic query is to just specify the term you're searching for.

host:www.example.com

To access an object's nested field, list the complete path to the field separated by periods. For example, to retrieve the lat field in the coordinates object:

coordinates.lat:43.7102

DQL also supports leading and trailing wildcards, so you can search for any terms that match your pattern.

host.keyword:*.example.com/*

To check if a field exists or has any data, use a wildcard to see if Dashboards returns any results.

host.keyword:*

Boolean query

To mix and match, or even combine, multiple queries for more refined results, you can use the boolean operators and, or, and not. DQL is not case sensitive, so AND and and are the same.

host.keyword:www.example.com and response.keyword:200

The following example demonstrates how to use multiple operators in one query.

geo.dest:US or response.keyword:200 and host.keyword:www.example.com

Remember that boolean operators follow the logical precedence order of not, and, and or, so if you have an expression like the previous example, response.keyword:200 and host.keyword:www.example.com gets evaluated first, and then Dashboards uses that result to compare with geo.dest:US.

To avoid confusion, we recommend using parentheses to dictate the order you want to evaluate in. If you want to evaluate geo.dest:US or response.keyword:200 first, your expression becomes:

(geo.dest:US or response.keyword:200) and host.keyword:www.example.com

Date and range queries

DQL also supports inequalities if you're using numeric inequalities.

bytes >= 15 and memory < 15

Similarly, you can use the same method to find a date before or after your query. > indicates a search for a date after your specified date, and < returns dates before.

@timestamp > "2020-12-14T09:35:33"

Nested field query

If you have a document with nested fields, you have to specify which parts of the document you want to retrieve.

Suppose that you have the following document:

{
  "superheroes":[
    {
      "hero-name": "Superman",
      "real-identity": "Clark Kent",
      "age": 28
    },
    {
      "hero-name": "Batman",
      "real-identity": "Bruce Wayne",
      "age": 26
    },
    {
      "hero-name": "Flash",
      "real-identity": "Barry Allen",
      "age": 28
    },
    {
      "hero-name": "Robin",
      "real-identity": "Dick Grayson",
      "age": 15
    }
  ]
}

The following example demonstrates how to use DQL to retrieve a specific field.

superheroes: {hero-name: Superman}

If you want to retrieve multiple objects from your document, just specify all of the fields you want to retrieve.

superheroes: {hero-name: Superman} and superheroes: {hero-name: Batman}

The previous boolean and range queries still work, so you can submit a more refined query.

superheroes: {hero-name: Superman and age < 50}

If your document has an object nested within another object, you can still retrieve data by specifying all of the levels.

justice-league.superheroes: {hero-name:Superman}