Kibana and regular expressions help please

Elastic Stack Elasticsearch
1

Hello everyone,

I need some help getting regular expressions to work in Kibana please.
I've tried several things that I thought would work, and none did. I must
be missing something basic. :slight_smile:

I have events in ES that contain a field called "event_detail". Here are
two examples:

Success|I:0,C:true,FPLOS:00000000000000000000000000000000,P:14000.00,RUID:o3YdgA
Fail|C:false,MinS:0,MaxS:45,MinSA:0,MaxSA:0,CTA:false,P:0,RUID:+CxQyQ

I'd like to pull out records that contain "Fail" and an "RUID" of o3YdgA.
First I tried just getting "Fail" records by:

Adding a Filter of: event_detail:"Fail"*
(Success records were still in the results)

Adding a Query of: event_detail:"Fail"*
(Success records were still in the results)

Adding a Filter of: event_detail:/Fail/*
(Success records were still in the results)

Adding a Filter of: event_detail:/Fail|+/
(Returned no results at all)

Adding a Filter of: event_detail:/(Fail|)+/
(Return no results at all)

Then I ran out of ideas. :S Can someone point me to why this is not
working?

Then I'd like to add the additional filter of the event_detail containing a
particular RUID string match as well.

Very much appreciate any help!
Thank you for your time.
Chris

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAND3DphaQtbZXpGS13AT9MP906xWrGQxwQqyZBrruOerwyi5EQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

2

Ok, I had a thought. Does a field need to be analyzed in order to work
with regular expressions perhaps? There is a mapping for this field that
defines it as a type of string, and an index of not_analyzed.

Just wondering.

On Mon, Nov 17, 2014 at 8:50 PM, Chris Neal chris.neal@derbysoft.net
wrote:

Hello everyone,

I need some help getting regular expressions to work in Kibana please.
I've tried several things that I thought would work, and none did. I must
be missing something basic. :slight_smile:

I have events in ES that contain a field called "event_detail". Here are
two examples:

Success|I:0,C:true,FPLOS:00000000000000000000000000000000,P:14000.00,RUID:o3YdgA
Fail|C:false,MinS:0,MaxS:45,MinSA:0,MaxSA:0,CTA:false,P:0,RUID:+CxQyQ

I'd like to pull out records that contain "Fail" and an "RUID" of o3YdgA.
First I tried just getting "Fail" records by:

Adding a Filter of: event_detail:"Fail"*
(Success records were still in the results)

Adding a Query of: event_detail:"Fail"*
(Success records were still in the results)

Adding a Filter of: event_detail:/Fail/*
(Success records were still in the results)

Adding a Filter of: event_detail:/Fail|+/
(Returned no results at all)

Adding a Filter of: event_detail:/(Fail|)+/
(Return no results at all)

Then I ran out of ideas. :S Can someone point me to why this is not
working?

Then I'd like to add the additional filter of the event_detail containing
a particular RUID string match as well.

Very much appreciate any help!
Thank you for your time.
Chris

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAND3Dpj4frZgrxJVbcOC2Gp4NnGOCmhd6U2NeaySTSvfZgFQXA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.