Query multiple strings in a field in kibana3?

Question

I am using Logstash 1.4.1, elasticsearch 1.1.1, kibana 3.1 for analyzing my logs. I get the parsed fields (from log) in Kibana 3.

Now, I have often query on a particular field for many strings. Eg: auth_message is a field and I may have to query for like 20 different strings (all together or separately).

If together:

auth_message: "login failed" OR "user XYZ" OR "authentication failure" OR .........

If separate queries:

auth_message: "login failed" 
auth_message: "user XYZ" 
auth_message: "authentication failure" 

So user cannot remember 20 strings for a field to be searched for. Is there a way to store or present it to user to select the strings he wants to search for.

Can this be done using ELK ?

Answer 1

First, "pin" your query. Meaning that once you have made a query you are statisfied with, click the small colored circle, make the drop-down menu appear and click the "pin" button.

Then in every panel of your interface, go to Configure -> Queries, and in the dropdown list chose which query should be charted in this panel, you can select either all, pinned, unpinned, or select particular queries among the pinned ones and you can save your dashboard with the pinned queries

If I understand correctly, you would like users to be able to select any of your queries or all. I don't see an easy way you could do that but I think that you can save all of your criteria either as a single pinned global query or as multiple pinned separate queries, then configure all of your panels to display only unpinned data, finally have your users reload the whole interface and in case you chose the global query solution: unpin it and edit it to remove unwanted terms, and in case you chose to have a subquery by criteria, unpin every required one.

Alternatively, if some combinations of terms are often needed, you could save one kibana dashboard for each.