How to use regex

user2416 · May 6, 2020, 4:19am

Hi,

I am trying to match multiple fileds with multiple values and also trying to match some values using regex. Below is my query. But its not working. Can someone help me with this query.

{
  "query": {
    "bool": {
      "should": {
        "match": {
          "Records.eventSource": "service"
        }
      },
      "must": {
        "bool": {
          "should": [
            {
              "match": {
                  "regexp":{	
                    "Records.eventName": "List*"	
                   }
                }
            },
            {
              "match": {
                "regexp":{	
                    "Records.eventName": "Get.*"	
                   }
              }
            }
          ]
        }
      }
    }
  }
}

Jack_Phan · May 6, 2020, 4:21am

"List*" is not a proper regex pattern. You might want to try wildcard instead.

user2416 · May 6, 2020, 4:25am

@Jack_Phan I tried wildcard also, still its not working. Can I use wildcard inside match?

Jack_Phan · May 6, 2020, 4:31am

I'm afraid not. Can you try to replace match by wildcard directly.

user2416 · May 6, 2020, 5:11am

@Jack_Phan after removing match filed its working, But when I include range in the query like below its not working. Where should I use range filter inside this query?

{
  "query": {
      
    "bool": {
      "should": {
          
        "match": {
          "Records.eventSource": "service"
            }  
          },
     
      "must": {
        "bool": {
          "should": [
            {
              "wildcard": {
                    "Records.eventName": "list*"
                   
                }
            },
            {
              "wildcard": {
                    "Records.eventName": "get*"	
                   
              }
            },
{
              "range" : {
                 "@timestamp" : {
                "gte" : "now-1h"
                
            }
        }}
            
          ]
        }
      }
  
     
    }
    
 
  }
}

Jack_Phan · May 6, 2020, 5:18am

Try this:

"query": {
"bool": {
"must": [
{
"wildcard": {
"Records.eventName": "list*"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"from": "now-1m"
}
}
}
]
}
}

user2416 · May 6, 2020, 5:19am

working now. Thanks

user2416 · May 6, 2020, 9:46pm

@Jack_Phan I see that when i add range, Its not applying above filters but its filtering all events in the time range. How can I apply filters and get filtered data during particular time range?

system · June 3, 2020, 9:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.