When I perform a Kibana Query, ie,
I know it is converted to a json blob which represents a valid elasticsearch json query, ie,
{
"version": true,
"size": 500,
"sort":
[
{
"@timestamp":
{
"order": "desc",
"unmapped_type": "boolean"
}
}
],
"aggs":
{
"2":
{
"date_histogram":
{
"field": "@timestamp",
"fixed_interval": "30s",
"time_zone": "America/Chicago",
"min_doc_count": 1
}
}
},
"stored_fields":
[
"*"
],
"script_fields": {},
"docvalue_fields":
[
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
}
],
"_source":
{
"excludes": []
},
"query":
{
"bool":
{
"must": [],
"filter":
[
{
"bool":
{
"filter":
[
{
"bool":
{
"should":
[
{
"match":
{
"event.id": 5
}
}
],
"minimum_should_match": 1
}
},
{
"bool":
{
"should":
[
{
"match":
{
"user": "root"
}
}
],
"minimum_should_match": 1
}
}
]
}
},
{
"range":
{
"@timestamp":
{
"gte": "2022-08-16T19:12:28.172Z",
"lte": "2022-08-16T19:27:28.172Z",
"format": "strict_date_optional_time"
}
}
}
],
"should": [],
"must_not": []
}
},
"highlight":
{
"pre_tags":
[
"@kibana-highlighted-field@"
],
"post_tags":
[
"@/kibana-highlighted-field@"
],
"fields":
{
"*": {}
},
"fragment_size": 2147483647
}
}
I use the Elasticsearch python API to send Elasticsearch queries, however, I would like to send a query from python that is initially in the friendly Kibana Query Language (KQL), ie, python.SendKQLQuery("event.id:5 and user:root") and it would get converted into the appropriate json blob that elasticsearch expects... can someone help with this?