Error with the split function in painless script

Hi everyone,

i have this field with values :
c:\Users\username\AppData\Local\Microsoft\Windows....

Sometimes the username is "john" and sometimes it is "john.000".
I want just to catch john , so i use this script :

POST winlogbeat-citrix-2017.03/_update_by_query 
{
  "query": {
"bool": { 
  "must": [
    { "match": { "event_data.param3": {"query": "APPCRASH" } } }
  ]
}
  },
  "script": {
"inline": "def val = /\\\\/.split(ctx._source.event_data.param17); if (val[2] =~ /\\./) { def val2 = /\\./.split(val[2]) ; ctx._source['user_crash'] = val2[0] } else { ctx._source['user_crash'] = val[2] }",
"lang": "painless"
  }
}

I have this error with this script

{
  "error": {
    "root_cause": [
      {
        "type": "script_exception",
        "reason": "compile error",
        "script_stack": [
          "... param17); if (val[2] =~ /\\./) { def val2 = /\\./.sp ...",
          "                             ^---- HERE"
        ],
        "script": "def val = /\\\\/.split(ctx._source.event_data.param17); if (val[2] =~ /\\./) { def val2 = /\\./.split(val[2]) ; ctx._source['user_crash'] = val2[0] } else { ctx._source['user_crash'] = val[2] }",
        "lang": "painless"
      }
    ],
    "type": "script_exception",
    "reason": "compile error",
    "caused_by": {
      "type": "illegal_argument_exception",
      "reason": "unexpected character [\\].",
      "caused_by": {
        "type": "lexer_no_viable_alt_exception",
        "reason": null
      }
    },
    "script_stack": [
      "... param17); if (val[2] =~ /\\./) { def val2 = /\\./.sp ...",
      "                             ^---- HERE"
    ],
    "script": "def val = /\\\\/.split(ctx._source.event_data.param17); if (val[2] =~ /\\./) { def val2 = /\\./.split(val[2]) ; ctx._source['user_crash'] = val2[0] } else { ctx._source['user_crash'] = val[2] }",
    "lang": "painless"
  },
  "status": 500
}

Any ideas ?

Regards
Florent

Looks like a bug. I believe you can work around it by replacing /\\\\/.split with /[\\]/.split. I can certainly reproduce and I'm not sure 100% what is up.

Fun times! In investigating this I think I found three different bugs. Escaping is hard.

Your bug is caused because the regex parsing is greedy when it should be non-greedy. Easy enough to fix. Will open a PR in a moment.

thanks !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.