Kibana Search - Regex


(Hung Minh Nguyen) #1

Hi,

I have this Kibana Search using regex and don't understand why it is not working. The search string is legal according to Query DSL filter but it gives me error "Courier Fetch: 124 of 1830 shards failed." Is there the special characters that I need to escape?

please see my filter syntax below:

{
  "query": {
    "regexp": {
      "message": "(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}"
    }
  }
}

(Brandon Kobel) #2

I believe that you're hitting the too_complex_to_determinize_exception error that Elasticsearch is throwing when you try to use a RegEx that is too complex and would result in too high of memory usage.

If you try to execute a query similar to the following via DevTools:

GET logstash-*/_search
{
  "query": {
    "regexp": {
      "message": "(?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}"
    }
  }
}

You'll see the following error response:

{
  "error": {
    "root_cause": [
      {
        "type": "query_shard_exception",
        "reason": "failed to create query: {\n  \"regexp\" : {\n    \"message\" : {\n      \"value\" : \"(?=.*\\\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}\",\n      \"flags_value\" : 65535,\n      \"max_determinized_states\" : 10000,\n      \"boost\" : 1.0\n    }\n  }\n}",
        "index_uuid": "2vspEvQ2Q6m0RmUwN_6_fQ",
        "index": "logstash-0"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "logstash-0",
        "node": "h9_nyEpyTS2H2Xa7_ZF_3w",
        "reason": {
          "type": "query_shard_exception",
          "reason": "failed to create query: {\n  \"regexp\" : {\n    \"message\" : {\n      \"value\" : \"(?=.*\\\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20}\",\n      \"flags_value\" : 65535,\n      \"max_determinized_states\" : 10000,\n      \"boost\" : 1.0\n    }\n  }\n}",
          "index_uuid": "2vspEvQ2Q6m0RmUwN_6_fQ",
          "index": "logstash-0",
          "caused_by": {
            "type": "too_complex_to_determinize_exception",
            "reason": "Determinizing (?=.*\\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[#$]).{8,20} would result in more than 10000 states.",
            "caused_by": {
              "type": "too_complex_to_determinize_exception",
              "reason": "Determinizing automaton with 64 states and 71 transitions would result in more than 10000 states."
            }
          }
        }
      }
    ]
  },
  "status": 400
}

Is there a simpler regex that would satisfy your requirements?


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.