Error with the split function in painless script

florentmair · March 17, 2017, 12:25pm

Hi everyone,

i have this field with values :
c:\Users\username\AppData\Local\Microsoft\Windows....

Sometimes the username is "john" and sometimes it is "john.000".
I want just to catch john , so i use this script :

POST winlogbeat-citrix-2017.03/_update_by_query 
{
  "query": {
"bool": { 
  "must": [
    { "match": { "event_data.param3": {"query": "APPCRASH" } } }
  ]
}
  },
  "script": {
"inline": "def val = /\\\\/.split(ctx._source.event_data.param17); if (val[2] =~ /\\./) { def val2 = /\\./.split(val[2]) ; ctx._source['user_crash'] = val2[0] } else { ctx._source['user_crash'] = val[2] }",
"lang": "painless"
  }
}

I have this error with this script

{
  "error": {
    "root_cause": [
      {
        "type": "script_exception",
        "reason": "compile error",
        "script_stack": [
          "... param17); if (val[2] =~ /\\./) { def val2 = /\\./.sp ...",
          "                             ^---- HERE"
        ],
        "script": "def val = /\\\\/.split(ctx._source.event_data.param17); if (val[2] =~ /\\./) { def val2 = /\\./.split(val[2]) ; ctx._source['user_crash'] = val2[0] } else { ctx._source['user_crash'] = val[2] }",
        "lang": "painless"
      }
    ],
    "type": "script_exception",
    "reason": "compile error",
    "caused_by": {
      "type": "illegal_argument_exception",
      "reason": "unexpected character [\\].",
      "caused_by": {
        "type": "lexer_no_viable_alt_exception",
        "reason": null
      }
    },
    "script_stack": [
      "... param17); if (val[2] =~ /\\./) { def val2 = /\\./.sp ...",
      "                             ^---- HERE"
    ],
    "script": "def val = /\\\\/.split(ctx._source.event_data.param17); if (val[2] =~ /\\./) { def val2 = /\\./.split(val[2]) ; ctx._source['user_crash'] = val2[0] } else { ctx._source['user_crash'] = val[2] }",
    "lang": "painless"
  },
  "status": 500
}

Any ideas ?

Regards
Florent

nik9000 · March 17, 2017, 2:56pm

Looks like a bug. I believe you can work around it by replacing /\\\\/.split with /[\\]/.split. I can certainly reproduce and I'm not sure 100% what is up.

nik9000 · March 17, 2017, 3:23pm

Fun times! In investigating this I think I found three different bugs. Escaping is hard.

nik9000 · March 17, 2017, 3:51pm

Your bug is caused because the regex parsing is greedy when it should be non-greedy. Easy enough to fix. Will open a PR in a moment.

nik9000 · March 17, 2017, 4:40pm

florentmair · March 17, 2017, 5:43pm

thanks !

system · April 14, 2017, 5:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch painless split Elasticsearch	2	673	July 3, 2018
How to use split on script field on kibana Kibana	3	2352	December 22, 2017
Painless is a pain in my head Elasticsearch	2	1797	June 9, 2017
Painless scrip error in kibana Elasticsearch	3	1063	June 1, 2020
Painless Scripting Compile Errors Elasticsearch	17	21528	April 20, 2018

Error with the split function in painless script

Related topics