Kibana Search - Regex

VietCong · July 9, 2018, 6:32am

Hi,

I have this Kibana Search using regex and don't understand why it is not working. The search string is legal according to Query DSL filter but it gives me error "Courier Fetch: 124 of 1830 shards failed." Is there the special characters that I need to escape?

please see my filter syntax below:

{
  "query": {
    "regexp": {
      "message": "(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}"
    }
  }
}

Brandon_Kobel · July 9, 2018, 1:28pm

I believe that you're hitting the too_complex_to_determinize_exception error that Elasticsearch is throwing when you try to use a RegEx that is too complex and would result in too high of memory usage.

If you try to execute a query similar to the following via DevTools:

GET logstash-*/_search
{
  "query": {
    "regexp": {
      "message": "(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}"
    }
  }
}

You'll see the following error response:

{
  "error": {
    "root_cause": [
      {
        "type": "query_shard_exception",
        "reason": "failed to create query: {\n  \"regexp\" : {\n    \"message\" : {\n      \"value\" : \"(?=.*\\\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}\",\n      \"flags_value\" : 65535,\n      \"max_determinized_states\" : 10000,\n      \"boost\" : 1.0\n    }\n  }\n}",
        "index_uuid": "2vspEvQ2Q6m0RmUwN_6_fQ",
        "index": "logstash-0"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "logstash-0",
        "node": "h9_nyEpyTS2H2Xa7_ZF_3w",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: {\n  \"regexp\" : {\n    \"message\" : {\n      \"value\" : \"(?=.*\\\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}\",\n      \"flags_value\" : 65535,\n      \"max_determinized_states\" : 10000,\n      \"boost\" : 1.0\n    }\n  }\n}",
          "index_uuid": "2vspEvQ2Q6m0RmUwN_6_fQ",
          "index": "logstash-0",
          "caused_by": {
            "type": "too_complex_to_determinize_exception",
            "reason": "Determinizing (?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20} would result in more than 10000 states.",
            "caused_by": {
              "type": "too_complex_to_determinize_exception",
              "reason": "Determinizing automaton with 64 states and 71 transitions would result in more than 10000 states."
            }
          }
        }
      }
    ]
  },
  "status": 400
}

Is there a simpler regex that would satisfy your requirements?

system · August 6, 2018, 1:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.