Does regex work on timestamp?

Elastic Stack Elasticsearch
1

I have created a regex to search for certain time periods in the data(ie search for all data out side of working hours). This regex should only return values from 00:00:00-07:59:59 or 16:00:00-23:59:59. It doesn't return any documents. I know multiple ppl have asked about querying outside of working hours but i haven't seen anyone take a regex approach.

Why doesn't regex seem to work on timestamps? Even when i try a regex to match on one number i get no results? ie if i build a regex of [1]? it still wouldnt return anything. It works on other fields as well. I currently have a regex where i am return documents with IPs in the host field of HTTP request. works fine.

Query:
'''
{
"query":{
"regexp":{
"event.timestamp":"([0][0-7]|[1][6-9]|[2][0-3]):([0-5][0-9]):([0-5][0-9])"
}
}
}
'''
possible fixes/issues

  • If i saved my timestamp as a strings field or keyword as well would this work?
  • Could it be the analyzer storing my timestamp field weird? how do i see exactly how the analyzer is storing the string?
2

Regex requires a keyword field as far as I know and does not mapped on fields mapped as date.

Yes, storing it as a keyword field should work, but then you can naturally not use it as a date filter.

It is probably mapped as a date field, so the mapping is the first thing to check.

You could consider keeping the field mapped as a date field as this is useful for range queries and then additionally extract the time into a separate field mapped as a keyword. That would allow you to search by string range instead of having vto use a more expensive regex query.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.