How to use regex

user2416 · May 6, 2020, 4:19am

Hi,

I am trying to match multiple fileds with multiple values and also trying to match some values using regex. Below is my query. But its not working. Can someone help me with this query.

{
  "query": {
    "bool": {
      "should": {
        "match": {
          "Records.eventSource": "service"
        }
      },
      "must": {
        "bool": {
          "should": [
            {
              "match": {
                  "regexp":{	
                    "Records.eventName": "List*"	
                   }
                }
            },
            {
              "match": {
                "regexp":{	
                    "Records.eventName": "Get.*"	
                   }
              }
            }
          ]
        }
      }
    }
  }
}

Jack_Phan · May 6, 2020, 4:21am

"List*" is not a proper regex pattern. You might want to try wildcard instead.

user2416 · May 6, 2020, 4:25am

@Jack_Phan I tried wildcard also, still its not working. Can I use wildcard inside match?

Jack_Phan · May 6, 2020, 4:31am

I'm afraid not. Can you try to replace match by wildcard directly.

user2416 · May 6, 2020, 5:11am

@Jack_Phan after removing match filed its working, But when I include range in the query like below its not working. Where should I use range filter inside this query?

{
  "query": {
      
    "bool": {
      "should": {
          
        "match": {
          "Records.eventSource": "service"
            }  
          },
     
      "must": {
        "bool": {
          "should": [
            {
              "wildcard": {
                    "Records.eventName": "list*"
                   
                }
            },
            {
              "wildcard": {
                    "Records.eventName": "get*"	
                   
              }
            },
{
              "range" : {
                 "@timestamp" : {
                "gte" : "now-1h"
                
            }
        }}
            
          ]
        }
      }
  
     
    }
    
 
  }
}

Jack_Phan · May 6, 2020, 5:18am

Try this:

"query": {
"bool": {
"must": [
{
"wildcard": {
"Records.eventName": "list*"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "now-1m"
}
}
}
]
}
}

user2416 · May 6, 2020, 5:19am

working now. Thanks

user2416 · May 6, 2020, 9:46pm

@Jack_Phan I see that when i add range, Its not applying above filters but its filtering all events in the time range. How can I apply filters and get filtered data during particular time range?

system · June 3, 2020, 9:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I query using Wildcard Elasticsearch	6	1970	July 6, 2017
Question about Wildcard Query Elasticsearch	2	325	February 20, 2019
Multi_match with Wildcard? Elasticsearch	2	9443	September 14, 2018
Wildcard inside nested query and a value match Elasticsearch	2	1804	January 17, 2019
Using Regex in Query via Kibana Elasticsearch	6	1179	July 6, 2017

How to use regex

Related topics