Breadcrumbs

How to Search Logs Using KQL (Kibana Query Language)

This article describes how to search logs displayed in PlatformManager by using Kibana Query Language (KQL). PlatformManager stores and exposes log data through the ELK stack (Elasticsearch, Logstash, Kibana). The log viewer provides a search bar that uses KQL, allowing you to filter log entries quickly and efficiently.

KQL documentation is available at:
https://www.elastic.co/docs/explore-analyze/query-filter/languages/kql

Terminology

  • ELK: The underlying log storage and processing stack (Elasticsearch, Logstash, Kibana).

  • KQL: The query language used in Kibana and PlatformManager log search fields.

  • PlatformManager Logs: A simplified interface that exposes ELK data and accepts KQL queries.

Log Search Locations in PlatformManager

You can use KQL in the search bar on the following log screens:

  • Debug Logs

  • Activity Log

  • Run History

Links to docs: How to Search Logs Using KQL (Kibana Query Language) | See Also

Each log provides fields such as sourceName, timestamp, message, and workflow-related identifiers. The set of available fields differs by log type.

Entering a Query

  1. Open a log page (for example Event Orchestration > Logs > Debug Logs).

  2. Select the Query Search field above the table.

  3. Enter a KQL expression.

  4. Press Enter to apply the filter.

Example Queries

Filter by Workflow or Scheduler Name 

entityName: "MyWorkflow"

Filter by Message Content 

message: "error"

Multiple search terms:

message: ("timeout" OR "failed")

Filter by Source (a partition) 

sourceName: "CompanyPartition"

Multiple Conditions 

entityName: "Event_SCHEDULER" AND message: "completed"

Search by ID 

destinationId: "12345"

Date Filtering

Use the date and time selector in the UI.

image-20251125-160954.png

Saving and Reusing Queries

If the page supports query management:

image-20251125-161247.png

  • Queries > Save and Share to save the current query and share via provided email address.

  • Queries > Manage Queries to update or delete saved entries.

Saved queries can be reused.

Tips for Effective KQL Use

  • Use double quotation marks for exact matches.

  • Use parentheses to control operator precedence.

  • Combine conditions with and, or, and not.

  • Avoid broad unbounded searches (for example message:*) to prevent large result sets.

  • KQL does not support regex.

See Also