Trying to grasp why I can't do regexp searches on a field defined as:
"message": {
"type": "text",
"fields": {
"keyword": { "type" : "keyword" }
}
},
have read what I could find in this forum and stackoverflow, but nothing really pointed me in the right direction.
Any hints appreciated, TIA!
Hi @stefws,
doing regexp searches on keyword fields and text fields should work fine:
PUT testindex/_doc/1
{ "test": "bacdefg" }
GET testindex/_search
{
"query": {
"regexp": {
"test": {
"value": "b.*g"
}
}
}
}
GET testindex/_search
{
"query": {
"regexp": {
"test.keyword": {
"value": "b.*g"
}
}
}
}
Both searches return the expected results. Do you have a specific query that's failing for you?
Just seems confusing how to ensure that Kibana Discover sends the right query using regexp...
Yes I have samples that eludes me 
eg. indexes with message[.keyword] defined as above with content like:
Sep 25 09:15:27 NSX-edge-152-0 nat: SNAT_IN= OUT=vNic_0 SRC=10.10.11.10 DST=1.2.3.4 LEN=84 TOS=0x00 PREC=0x00 TTL=127 ID=31411 PROTO=UDP SPT=52493 DPT=53 LEN=64
searching in Kibana that eludes me (known CAPS is also a hazzle):
message:/Sep*SNAT*/
Ah, maybe you didn't turn of KQL (same problem as in this topic: Kibana Regex Searching Problems)
Could you try clicking "KQL" in the top right of the search bar, set it to "Lucene" and execute the search again?
Don't see Lucene in my top right, only this in my 6.8 kibana:
Ah, this got renamed - you have to turn off "query features" to use regular Lucene queries
Could you try querying the message.keyword field instead and use .* instead of * to match unknown characters?
message.keyword:/Sep.*SNAT_IN=.*/ works for me.
Yeap that works, thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
