Kibana Regex Searching Problems

jasonazzarella · October 26, 2018, 6:36am

Running into an issue that I hope some folks on here can help me with. I've been using the stack for quite a few years and had no issues with regex searching up until now. I've recently upgraded to 6.4.2 on the entire stack. I CAN run regex searches via POSTs to the elastic cluster and get results; however, Kibana searching using the double / will never return a result now.

I figured it must be related to the separation of keywords/text fields but I AM able to run regex queries through a POST to the elastic cluster directly. I originally had dynamic mappings setup and figured maybe it had something to do with that then switched over to adding a "keyword" type field to each object. This didn't fix it either so I have now tried setting the field as strictly a keyword type and that's it. Still no success. I know _all was deprecated and wasn't sure if this was also part of the issue. Below are some of the configs/info.

Mappings
{  
   "fast_doc":{  
      "mappings":{  
         "doc":{  
            "properties":{  
               "filename":{  
                  "type":"keyword"
               }
            }
         }
      }
   }
}

Not working kibana search
filename:/[0-9a-zA-Z]{8}/


Successful elastic query
POST /fast_doc/_search
{
  "query": {
    "regexp": {
      "filename": "[0-9a-zA-Z]{8}"
    }
  }
}

Larry_Gregory · October 26, 2018, 2:58pm

Hey @jasonazzarella,

I tried your example, and the regex query worked for me:

I don't expect it to help, but you mentioned that you switched from a dynamic mapping to a fixed mapping. When you switched, did you happen to refresh your index patterns in Kibana? If not, can you perform that refresh (under Management -> Index Patterns), and give it another try?

jasonazzarella · October 26, 2018, 4:13pm

Thanks for the reply!

Just gave refreshing the index pattern a shot as I think I've only done it a few times throughout troubleshooting. Looks like it didn't resolve it. I've been reindexing data every time I do changes and I've triple checked that the _mapping to the keyword type is taking properly.

I use this sucker for a lot of host forensics so pattern matching is my world. Killing me that I can't figure out what's wrong. Haha.

Oh my goodness! I figured it out. I turned off the "turn on query features" in the options for auto field completion and regex is working again. Does this do any strange modifications at search time to whatever is crafted? Maybe adds some extra "s in there to treat it as literal which could bork the regex searching?

Larry_Gregory · October 26, 2018, 4:37pm

Oh my goodness! I figured it out. I turned off the "turn on query features" in the options for auto field completion and regex is working again. Does this do any strange modifications at search time to whatever is crafted? Maybe adds some extra "s in there to treat it as literal which could bork the regex searching?

Ah, that would do it! This feature enables the Kibana Query Language ("KQL"), which has a different syntax than the default Lucene experience. I don't believe KQL has support for regex at this time. I'm glad you figured it out, thanks for posting the update!

system · November 23, 2018, 4:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.