{"id":17239419,"url":"https://github.com/aloshi/kql-parser","last_synced_at":"2025-04-14T02:52:45.917Z","repository":{"id":147506849,"uuid":"552645599","full_name":"Aloshi/kql-parser","owner":"Aloshi","description":"Python parser for Kibana Query Language (KQL).","archived":false,"fork":false,"pushed_at":"2025-01-21T02:28:57.000Z","size":25,"stargazers_count":6,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-27T16:55:56.511Z","etag":null,"topics":["arpeggio","elastic","elasticsearch","elasticstack","elk","elk-stack","kibana","kql","parser"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aloshi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-10-17T02:03:37.000Z","updated_at":"2025-03-04T23:26:39.000Z","dependencies_parsed_at":"2024-04-03T02:00:28.682Z","dependency_job_id":null,"html_url":"https://github.com/Aloshi/kql-parser","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aloshi%2Fkql-parser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aloshi%2Fkql-parser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aloshi%2Fkql-parser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aloshi%2Fkql-parser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aloshi","download_url":"https://codeload.github.com/Aloshi/kql-parser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248813827,"owners_count":21165631,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arpeggio","elastic","elasticsearch","elasticstack","elk","elk-stack","kibana","kql","parser"],"created_at":"2024-10-15T05:48:45.349Z","updated_at":"2025-04-14T02:52:45.875Z","avatar_url":"https://github.com/Aloshi.png","language":"Python","readme":"# What is this?\n\nThis is a parser for the Kibana Query Language (KQL), also known as Kuery.\nThis should pretty faithfully re-implement\n[the grammar in Kibana's public repo](https://github.com/elastic/kibana/blob/153f65990ee614677a9c3b2beda634219b6eeee8/packages/kbn-es-query/grammar/grammar.peggy).\n\n# What can I do with it?\n\nYou can parse KQL expressions into a tree which makes analysis and re-writing easier. It's kind of like the parse tree parts of [Luqum](https://github.com/jurismarches/luqum), but for KQL.\n\nFor example, when paired with the appropriate Kibana saved object data, you could use this to see what documents dashboards/visualizations/alerts are actually looking at.\n(Particularly useful if you can't use the [field usage stats API](https://www.elastic.co/guide/en/elasticsearch/reference/current/field-usage-stats.html)\nbecause you have a common set of fields across most documents, but documents are filtered by some `type: blah`-esque query.)\n\n## How do I use it?\n\nFirst, install the library (add to `requirements.txt` and/or `pip install kql-parser`).\n\n```python\nfrom kql_parser.parser import KQLParseError, Parser\n\nparser = Parser()\n\ntry:\n    tree = parser.parse('a: b or c: (list or of or values) or \"bare string\"')\nexcept KQLParseError as e:\n    print(e)\n\n# print the parse tree (kind of ugly, sorry)\nprint(repr(tree))\n# OrQueryNode(children=[ExpressionQueryNode(expression=FieldValueExpressionNode(field=UnquotedLiteralNode(value='a'), value=UnquotedLiteralNode(value='b'))), ExpressionQueryNode(expression=FieldValueExpressionNode(field=UnquotedLiteralNode(value='c'), value=ListOfValuesNode(operator='or', children=[UnquotedLiteralNode(value='list'), UnquotedLiteralNode(value='of'), UnquotedLiteralNode(value='values')]))), ExpressionQueryNode(expression=ValueExpressionNode(value=QuotedLiteralNode(value='bare string')))])\n\n# convert the parse tree back to a query string, normalizing/prettifying it\nprint(tree)\n# a: b or c: (list or of or values) or \"bare string\"\n```\n\nAlso included is a little CLI tool, useful for testing:\n\n```bash\n$ kql-parser parse 'some:   expression' --print-input --tree\n\nsome:   expression  # input\nExpressionQueryNode(expression=FieldValueExpressionNode(field=UnquotedLiteralNode(value='some'), value=UnquotedLiteralNode(value='expression')))  # parse tree\nsome: expression  # stringified parse tree\n```\n\n# TODO\n* Needs to support case insensitivity in keywords (this is a big one!)\n* Needs tests (!!!)\n* Add a nicer way to print the parse tree\n* Move the CLI bit into something configurable so you can pull this project without installing click\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faloshi%2Fkql-parser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faloshi%2Fkql-parser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faloshi%2Fkql-parser/lists"}