1. Start with the right place
OpenSearch Dashboards usually lets you search in Discover or inside a Dashboard.
- Use Discover when you want to inspect raw records or logs.
- Use Dashboards when you want to filter charts, tables, and visual panels.
OpenSearch Dashboards supports search using DQL, short for Dashboards Query Language, and also Lucene/query string syntax. DQL is usually easier for everyday dashboard filtering.
2. Set the time range first
Before searching, check the time picker, usually in the top-right corner.
Examples:
- Last 15 minutes
- Last 24 hours
- Last 7 days
- Custom date range
Many “missing data” problems are caused by the wrong time range.
3. Basic search examples
Search for a word
errorFinds records that contain error.
Search a specific field
status:500Finds records where the status field is 500.
Search text in a field
message:errorFinds records where the message field contains error.
4. Search for exact values
Use quotation marks when the value has spaces.
service:"payment api"message:"connection timeout"This helps avoid partial or incorrect matches.
5. Combine searches
AND
status:500 and service:checkoutFinds records where both conditions are true.
OR
status:500 or status:503Finds records where either condition is true.
NOT
status:500 and not service:testFinds 500 errors but excludes the test service.
DQL supports Boolean operators such as and, or, and not.
6. Search ranges
Numbers
response_time > 1000Finds records where response_time is greater than 1000.
status >= 400Finds client and server errors.
Dates
Usually, use the dashboard time picker instead of typing date ranges manually.
7. Use wildcards carefully
service:auth*Matches values like:
- auth
- auth-api
- authentication
Wildcards are useful, but they can slow searches if used too broadly.
8. Add filters from the dashboard
Many dashboards let you click values in charts or tables to add filters.
Example:
- Click a service name.
- Choose Filter for value.
- The dashboard refreshes using that filter.
This is often easier than typing a query manually.
9. Common useful searches
Find errors
level:errorFind failed requests
status >= 400Find one service
service:checkoutFind timeout messages
message:timeoutFind a specific agent
agent.name:web-01Find a request ID
request_id:"abc-123"10. Troubleshooting
If your search returns no results, check these:
- Time range — Is it too narrow?
- Field name — Is the field spelled correctly?
- Value format — Does the value need quotes?
- Dashboard filters — Is another filter hiding results?
- Data source/index pattern — Are you searching the right data?
11. Simple search formula
Use this pattern:
field:valueExamples:
status:500
service:api
level:error
user.name:jdoeFor multiple conditions:
field1:value1 and field2:value2Example:
service:checkout and status >= 40012. Best practices
- Set the time range first.
- Start broad, then narrow down.
- Use field searches instead of plain text when possible.
- Use quotes for values with spaces.
- Clear old filters before starting a new search.
- Save useful searches if your dashboard supports saved queries.
Quick Reference
| Goal | Example |
|---|---|
| Search a word | error |
| Search a field | status:500 |
| Exact phrase | message:"connection timeout" |
| AND search | service:api and level:error |
| OR search | status:500 or status:503 |
| Exclude value | not service:test |
| Greater than | response_time > 1000 |
| Wildcard | service:auth* |