Elastic search - filter on a field based on the length of that field's contents

Elastic Stack Elasticsearch
1

Thought this would be easy. I'm searching a data index of data-awsch*:ls-aws-cloudtrail* based on event.type that is not one of start, access, info. This is working as intended, but the output is huge.

Rather than filter by user.name exclude, exclude, exclude --- I'd prefer to filter (or create a smaller output) based on the length of the user.name returned. Specifically, I want to return only those events where the user.name <=6 characters; and conversely when the user.name > 6 characters.

I'm not finding a way to parse the user.name field based on the length of the content.

Question: How does one search or filter for user.name with <= 6 characters?

Thank you dr.

2

Well, I was just looking at regex queries, so ^.{0,6}$ should match anything 6 or less.

If your max field size were known, say 999, this should match anything over 6: ^.{7,999}$

I don't know if this is a good way or not, performance may be terrible...

3

Another option is using ingest pipeline with script processor to create new field to save information of the length.

1 Like
4

regex queries, so ^.{0,6}$ should match anything 6 or less.

Sounds like it would work.

Given we have the dataset and the field name, how can I use that as a filter. Offering the filter option so I don’t have to pull a fresh search.

Can you give me an example with context?

And - Thank you.

5

I use the python dsl, so you'll have to translate, here is an example that uses regex, I changeda working regex expression to this example (and sanatized), but it's not tested.

s = Search(using=es, index = 'filebeat-*') \
        .query("match", event_id="RECEIVE") \
        .query("regexp", **{"recipient_address" : {"value": "^.{0,6}$"}})
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.