Help with regexp query syntax

ajhstn · August 24, 2017, 9:55pm

Hello, i need help with a regexp query. I am trying to filter OUT computers from the winlogbeat event_data.TargetUserName field. I believe this is an elasticsearch query syntax problem, not a kibana or winlogbeat problem which is why i posted here, feel free to move me if more appropriate.

my query is trying to filter anything that ends in a $ (dollar) sign. I have tried.

"*$"
"^[a-zA-z]*$"
"*.$"

{
  "query": {
    "regexp": {
      "event_data.TargetUserName": "^.*$"
    }
  }
}

Each of the above still seems to show me computers returned in my results.

spinscale · August 25, 2017, 8:00am

Hey,

the $ is a special sign in a regex, see the operators paragraph in the docs.

Have you tried escaping? If that doesnt work a fully fledged example would be tremendously useful.

ajhstn · August 26, 2017, 4:25am

In normal regex syntax the $ is escaped, however the docs (which i have read) no where say that the $ needs escaping. They do talk about a list of other characters but not the $ though.

Anyway yes i have tried escaping.

The filter above is my full filter example. I am not sure what else to show you?

spinscale · August 28, 2017, 7:35am

I actually forgot the most important thing. Have you changed your mapping to not drop characters like a dollar sign? If you use the standard analyzer then this happens

GET _analyze
{
  "analyzer": "standard", 
  "text": "bar$"
}

{
  "tokens": [
    {
      "token": "bar",
      "start_offset": 0,
      "end_offset": 3,
      "type": "<ALPHANUM>",
      "position": 0
    }
  ]
}

As you can see, the dollar sign is removed from the input. So the dollar sign is never stored in the inverted index you are running the query against - and thus you dont get any results. You need to pick an analyzer which keeps those characters (you can try the whitespace analyzer for testing, but it has vastly different characteristics, you probably do not want to go with that one).

ajhstn · August 29, 2017, 12:26am

Hi @spinscale fantastic work, your idea is correct. However i don't know what to do regarding choosing another analyzer?

  "tokens": [
    {
      "token": "bar",
      "start_offset": 0,
      "end_offset": 3,
      "type": "<ALPHANUM>",
      "position": 0
    }
  ]
}

system · September 26, 2017, 12:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.