Lucene Regex issues

I'm trying to use some regex and its becoming frustrating. It appears the syntax is not respected around the Kibana interface.

For example, I can exclude via regex with visualizations. However I noticed if you choose to pivot from a visluaizaiton to Discover the exclusion doesn't follow with it...is this a bug?

I try to recreate the exclusion in Discover by changing the query language to Lucene and using the regex I previously applied to the visulization, but it doesn't work. It instead does an inclusion for those IPs.

Example:
NOT ip.src: /127\..*|192\.168\..*|172\<16-31>\..*/

I tried using the Filters in Kibana with regex and that doesn't work either.

I also tried using "regexp" via DSL query and it appears you can't use "\" to escape characters in that syntax. Not sure why that would be an illegal character even though Lucene supports escaping. Can you provide an example of DSL query that would exclude the regex above as well?

All my research shows inclusion type queries, but not exclusion with regex.

Hi @turboz. Is your ip.src field mapped as an IP field type. I think it would be much easier to create a query that uses CIDR notation rather than regex.

Thanks for the response. I'm still relatively new to Elasticsearch and don't have full control over some parts of the stack. But, from what I can see it doesn't seem to be mapped as that type.

I'll have to see how you can change the field type. If not, what is the alternative? Shouldn't the regex work? I don't understand why the system treats it differently throughout Kibana interface.

Also, is it a bug that the filters applied to a visiualziiaton don't follow when you pivot to discover from a visiualization? Seems logical to apply them on the pivot, just allow the user to modify or remove the filter on the Discover page afterwards.