REGEX-Painless returns null

PolterFox · April 17, 2018, 1:47pm

Hey guys,

I have the following problem. In the JSON Messages for ES I got multiple data in a field and I want to match this data with an regex. So I´ve tested it in the Kibana Developer Console (Webinterface) and I`ve tried to understand what I am doing wrong.

I have the following painless-script for a scripted field:

Painless-script

if(doc['myField.keyword'].value != null){
    Matcher m = (?<Group0>UserName=)(?<Group1>\w+\ {1,2}\w+)/.matcher(doc['myField.keyword'].value);
if(m.find())
{
    return m.group(2);
}
else{
    return \"NoMatch\";
}}
else{
    return \"NULL\";
}

The problem is that Kibana returns just the value for NULL, but ALL messages contain this data.
If I understand correctly this would be mean that the field myField.keyword should be NULL but this is not the case.

I hope somebody have a solution for my problem.
I am looking forward to hear from you!
Best regards,
Robert

lukas · April 17, 2018, 6:48pm

Have you tried using doc['myField'].value instead?

PolterFox · April 18, 2018, 6:15am

Hey @lukas,

Thanks for your answer.
I´ve tried your version with doc['myField'].value. After I setting the property "fielddata" to true, I can search directly in the value of doc['myField']. But it seems that my regex-expression does not find anything, but it works for me in seperate tool to build regex-expressions.

Do you have an idea why I don´t get anything from the regex-expression in kibana?

Once again thanks a lot!
Best regards,
Robert

lukas · April 18, 2018, 4:02pm

Okay, looking at the docs, it looks like regex is disabled by default in Painless:

https://www.elastic.co/guide/en/elasticsearch/painless/current/painless-examples.html#modules-scripting-painless-regex

Have you enabled it? And are you using the syntax that Painless suggests?

PolterFox · April 18, 2018, 4:09pm

Yes, I´ve enabled painless regex in the elasticsearch.yml.

Here you can see my script:

My script

if(doc['myField.keyword'].value != null){
    Matcher m = /(?<Group0>UserName=)(?<Group1>\w+\ {1,2}\w+)/.matcher(doc['myField.keyword'].value);
if(m.find())
{
    return m.group(2);
}
else{
    return \"NoMatch\";
}}
else{
    return \"NULL\";
}

This is my regex: (?<Group0>UserName=)(?<Group1>\w+\ {1,2}\w+)

lukas · April 18, 2018, 5:03pm

What is an example of something you want to match and something that you don't want to match?

PolterFox · April 19, 2018, 5:40am

Hey @lukas,
Here you can see an example of my data inside the field:

MyField - Data

{ID=1234,
 Server=google.com,
 Application=OPERA,
 UserName=MYSERVER\\USERNAME1234,
 VERSION=1.0.0.1,
 Framework=.NET,
 Data=TEST-DATA,
 HostName=MYHOSTNAME
}MyFIELD

This is the field-value! It´s not a seperate Message.
I want to get the Username including SERVER\\Username (the backslash can be one or two inside the name). I hope this "Test-Data" can help you to find out whats the problem.

Thank you!
Best regards,
Robert

PolterFox · April 20, 2018, 6:44am

Hey everybody,

I just let myself spend the field value, but I get back the value "0" even though my message on the Discover page is in this field. Does anyone have an idea why that is?

system · May 18, 2018, 6:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.