Security onion 

To search for an IP
192.168.1.1

IDS Alert from a IP
ips:"192.168.1.1"

Search for a SID ID from SNORT IDS Rules
sid is 7000242

User agents Search
"Mozilla/5.0"
"Google Toolbar installer"

Search for a domain
apple.com

Search for a domain with source IP 
apple.com and source_ip is 192.168.10.20

Kig efter en bestemt protokol
proto "udp"
proto "tcp"

----------------------------------------------
HTTP redirects
type: http AND http.code: 302

search for all the transactions that contain the following message:
"Cannot change the info of a user"

transactions with the "chunked" encoding
"Transfer-Encoding: chunked"

view HTTP transactions only
type: http

view failed transactions only
status: Error

view INSERT queries only
method: INSERT

search for all HTTP responses with JSON as the returned value type:
http.response_headers.content_type: *json

search for slow transactions with a response time greater than or equal to 10ms
responsetime: [10 TO *]

search for slow transactions with a response time greater than 10ms
responsetime: {10 TO *}

search for all transactions except MySQL transactions
NOT type: mysql

search for all MySQL INSERT queries with errors
method: INSERT AND mysql.iserror: true

search for either INSERT or UPDATE queries with a response time greater than or equal to 30ms
(method: INSERT OR method: UPDATE) AND responsetime: [30 TO *]

Links
https://lucene.apache.org/core/2_9_4/queryparsersyntax.html

https://www.elastic.co/guide/en/beats/packetbeat/current/kibana-queries-filters.html