ES|QL RLIKE

We are a little confused here, playing with ES|QL and RLIKE in Discover:.

This one works and returns paths like \\?\C:\Windows\CSC\v2.0.6\namespace\example.com\DFS\Homes\User\Downloads\evil.exe

| WHERE file.path RLIKE ".*\\DFS.Homes.*"

Moving the backslashes to the back suddenly returns no results anymore?

| WHERE file.path RLIKE ".*DFS.Homes\\.*"

Even worse, adding more than one “double backslash” returns an error?

| WHERE file.path RLIKE ".*\\DFS\\Homes.*"

[esql] > Couldn't parse Elasticsearch ES|QL query. Check your query and try again. Error: line 2:9: Invalid regex pattern for RLIKE [.*\DFS\Homes.*]: [invalid character class \72]

Doing something like this still returns the same results as the first one even though there's too many slashes:

| WHERE file.path RLIKE ".*\\\\\\DFS.Homes.*"

Yet, adding more then returns no results again.

| WHERE file.path RLIKE ".*\\\\\\\\DFS.Homes.*"

Maybe we are just tired, but this doesn’t make sense to us?

Hello @Balu

While reviewing this i found below information if it can be helpful

FROM test-rlike
| WHERE file.path RLIKE ".*\\\\DFS\\\\Homes.*"
| KEEP file.path

image1915×666 51.3 KB

Below information via LLM :

1. Regex Layer

To match a literal backslash (\) in a regex, you must escape it:

• \\ in regex = match one literal \

2. JSON Layer

In JSON strings (like the body of your ES|QL query), a backslash is also an escape character. So to represent a single backslash in JSON, you write:

• \\ in JSON = one literal \

3. Combined Effect

To match a literal backslash in a regex inside JSON, you need:

• \\\\ in JSON = \\ in regex = match one \

So, to match the path C:\DFS\Homes, you need:

sql

RLIKE ".*\\\\DFS\\\\Homes.*"

Each \\\\ becomes \\ in regex, which matches a literal \.

Thanks!!

I was not aware that the string is processed as JSON. This explains a lot.