Queries

Query configuration and compilation.

KQL Query

KqlQuery pydantic-model

Represents a KQL (Kibana Query Language) query configuration.

KQL is the default query language in Kibana and provides a simplified syntax for filtering data.

Attributes:

Name	Type	Description
kql	str	The Kibana Query Language (KQL) query string to apply.

Show JSON schema:

{
  "additionalProperties": false,
  "description": "Represents a KQL (Kibana Query Language) query configuration.\n\nKQL is the default query language in Kibana and provides a simplified syntax for filtering data.",
  "properties": {
    "kql": {
      "description": "The Kibana Query Language (KQL) query string to apply.",
      "title": "Kql",
      "type": "string"
    }
  },
  "required": [
    "kql"
  ],
  "title": "KqlQuery",
  "type": "object"
}

Source code in kb_dashboard_core/queries/config.py

class KqlQuery(BaseCfgModel):
    """Represents a KQL (Kibana Query Language) query configuration.

    KQL is the default query language in Kibana and provides a simplified syntax for filtering data.
    """

    kql: str = Field(...)
    """The Kibana Query Language (KQL) query string to apply."""

Lucene Query

LuceneQuery pydantic-model

Represents a Lucene query configuration.

Lucene provides a more powerful and flexible, but less friendly, syntax for querying data compared to KQL.

Attributes:

Name	Type	Description
lucene	str	The Lucene query string to apply.

Show JSON schema:

{
  "additionalProperties": false,
  "description": "Represents a Lucene query configuration.\n\nLucene provides a more powerful and flexible, but less friendly, syntax for querying data compared to KQL.",
  "properties": {
    "lucene": {
      "description": "The Lucene query string to apply.",
      "title": "Lucene",
      "type": "string"
    }
  },
  "required": [
    "lucene"
  ],
  "title": "LuceneQuery",
  "type": "object"
}

Source code in kb_dashboard_core/queries/config.py

class LuceneQuery(BaseCfgModel):
    """Represents a Lucene query configuration.

    Lucene provides a more powerful and flexible, but less friendly, syntax for querying data compared to KQL.
    """

    lucene: str = Field(...)
    """The Lucene query string to apply."""

ESQL Query

ESQLQuery

Represents an ESQL (Elasticsearch Query Language) query configuration.

ESQL is a powerful query language for Elasticsearch that provides a flexible syntax for filtering data.

The query can be provided as either: - A string: The complete ESQL query - A list of strings: Query parts that will be concatenated with pipe characters (|)

The list format supports YAML anchors for query reuse. When anchors reference arrays, they create nested lists which are automatically flattened before concatenation.

Example with YAML anchors

.base: &base_query - FROM logs-* - WHERE @timestamp > NOW() - 1h

query: - *base_query - STATS count = COUNT()

Results in:

FROM logs-*

| WHERE @timestamp > NOW() - 1h

| STATS count = COUNT()

Attributes:

Name	Type	Description
root	str

Source code in kb_dashboard_core/queries/config.py

class ESQLQuery(BaseRootCfgModel):
    """Represents an ESQL (Elasticsearch Query Language) query configuration.

    ESQL is a powerful query language for Elasticsearch that provides a flexible syntax for filtering data.

    The query can be provided as either:
    - A string: The complete ESQL query
    - A list of strings: Query parts that will be concatenated with pipe characters (|)

    The list format supports YAML anchors for query reuse. When anchors reference arrays,
    they create nested lists which are automatically flattened before concatenation.

    Example with YAML anchors:
        .base: &base_query
          - FROM logs-*
          - WHERE @timestamp > NOW() - 1h

        query:
          - *base_query
          - STATS count = COUNT()

        # Results in:
        # FROM logs-*
        # | WHERE @timestamp > NOW() - 1h
        # | STATS count = COUNT()
    """

    root: NormalizedQuery = Field(...)