Regex + fixed string match needed

Elastic Stack Elasticsearch
1

The default analyzer is standard. If I change it to keyword I can get regex
working. But I want both to work simultaneously.
For ex, Lets say I push this event to elasticsearch via logstash "this is
my new string".
In kibana search,
If I look for message:"string", it should return me "this is my new string"
If I look for message:"this.*string", it should return me "this is my new
string"

How should I configure my index? If I mark the field as "not_analyzed"
search for "new string" will fail. I want fix and regex to both work. Can I
get combination of keyword+standard analyzer to work?

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/108e209b-64ce-40b8-81f0-cd67b8b0fd77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

2

There are two ways to perform regex matching with Elasticsearch and both
require multi-fields
http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/mapping-multi-field-type.html
.

The first way is to create a not_analyzed subfield like on the link above
and query it like message.untouched:/this.*string/ (or whatever Kibana's
query language is). not_analyzed has the problem of emitting hugely long
tokens which lucene can complain about. So you have to set ignore_above
and it won't work for long strings.

The other way isn't integrated into Kibana, may be slower for short strings
(I'm not sure) but works for longer strings. The wikimedia-extra
https://github.com/wikimedia/search-extra plugin has a thing called
source_regex which does a two pass regex search. The first pass does a
pile of term queries to try and filter down the index to candidate docs and
the second pass just loads the strings from source and runs the regex
against them.

I suspect the first one will work for you but I'm including the second for
posterity.

Nik

On Tue, Jan 6, 2015 at 3:50 AM, Amit amit.balode@gmail.com wrote:

The default analyzer is standard. If I change it to keyword I can get
regex working. But I want both to work simultaneously.
For ex, Lets say I push this event to elasticsearch via logstash "this is
my new string".
In kibana search,
If I look for message:"string", it should return me "this is my new
string"
If I look for message:"this.*string", it should return me "this is my new
string"

How should I configure my index? If I mark the field as "not_analyzed"
search for "new string" will fail. I want fix and regex to both work. Can I
get combination of keyword+standard analyzer to work?

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/108e209b-64ce-40b8-81f0-cd67b8b0fd77%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/108e209b-64ce-40b8-81f0-cd67b8b0fd77%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAPmjWd2eri80tPzVpnFTTGde-PwSYRUH30v0Upg_WS-SGmSR8Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.