Create Elasticsearch query from Kibana saved search

kielni · July 23, 2022, 4:39pm

My goal is to use a Kibana saved search to get data out of Elasticsearch. I know about the reporting feature, but it's a pain to have to wait for a CSV, download it and re-upload it every time.

I can get my saved search object via /api/saved_objects/search/{obj_id}. The contents of result["attributes"]["kibanaSavedObjectMeta"]["searchSourceJSON"] looks related:

{
  "query": {
    "query": "",
    "language": "kuery"
  },
  "filter": [
    {
      "meta": {
        "negate": true,
        "type": "phrase",
        "key": "issue_type",
        "value": "bill gap",
        "params": {
          "query": "bill gap"
        },
        "disabled": false,
        "alias": null,
        "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index"
      },
      "query": {
        "match": {
          "issue_type": {
            "query": "bill gap",
            "type": "phrase"
          }
        }
      },
      "$state": {
        "store": "appState"
      }
    }
  ],
  "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index"
}

From Kibana, the Inspect / Requests panel shows this query:

{
  "version": true,
  "size": 500,
  "sort": [
    {
      "meter": {
        "order": "asc",
        "unmapped_type": "boolean"
      }
    }
  ],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [
        {
          "range": {
            "time": {
              "format": "strict_date_optional_time",
              "gte": "2022-07-22T15:32:00.910Z",
              "lte": "2022-07-23T15:32:00.910Z"
            }
          }
        }
      ],
      "filter": [
        {
          "match_all": {}
        }
      ],
      "should": [],
      "must_not": [
        {
          "match_phrase": {
            "issue_type": {
              "query": "bill gap"
            }
          }
        }
      ]
    }
  }
}

The Inspect query has a sort section, and a bool query with a date range and must_not section. The sort and date range aren't in searchSourceJSON. The filter condition ("issue_type": { "query": "bill gap", "type": "phrase" } ) looks similar, but the structure is different.

I found Retrieving results by using kibanaSavedObjectMeta.searchSourceJSON from a saved search ; it says to "re-execute the searches using the same parameters", but the saved object parameters don't work as an Elasticsearch query as-is.

How can I use the searchSourceJSON to create an Elasticsearch query equivalent to what I see in Kibana / Inspect? Is there a general way to do this, or any documentation on the format of searchSourceJSON?

system · August 20, 2022, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.