Problem for using regexp in DSL

Mrzhuang007 · August 13, 2020, 7:00am

ES version: 6.8.6
use something like this

GET _search
{
  "query": {
    "regexp": {
      "message": ".*error.*"
    }
  }
}

I can get some result, for example

 {
        "_index" : "filebeat-6.8.6-2020.08.13",
        "_type" : "doc",
        "_id" : "kiZ45nMBmMXSaaD4Zncy",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2020-08-13T06:18:35.468Z",
          "offset" : 19074,
          "message" : "[22:44:03] [ERROR] COMPILATION ERROR : ",
          "projectName" : "test-job-name",
          "buildNumber" : "1"
        }
      }

when I add the '[' charactor in regexp, it doen't return anything.

GET _search
{
  "query": {
    "regexp": {
      "message": ".*\\[error.*"
    }
  }
}

spinscale · August 13, 2020, 8:07am

One of the tricks here is, that you do not need to use a regular expression query at all. The reason is that a term like error or compilation will be stored in the index and thus made searchable. You can use a regular match query instead and still find your document.

In order to understand how a field is indexed and stored and searched I highly recommend you to read Elasticsearch - The definitive guide, especially the Search in Depth

Despite its age this is still one of the best introductions into this topic.

system · September 10, 2020, 8:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.