Regex Search in Kibana

Kevin_Wiegand · August 17, 2017, 2:13pm

Hey there,
i want to do a Regex based Search on Kibana, i've read the Regex Instruction for Kibana an Lucene but i can't get my Search or Query to work.

I want to find each entry which begins with "Login 123456"(<-6 Digits vom 0-9)in the logmsg field.

So i tried this but there are no Search results.

logmsg:/Login [0-9]{6}/

I also tried Searching by a Custom Query but same result:

{
    "query": {
        "regexp":{
            "logmsg":"/Login [0-9]{6}/"
            }
        }
    }
}

Thanks for your Help!

BigFunger · August 17, 2017, 3:23pm

I assume that the problem is that the logmsg field is an analyzed text field. So the space doesn't actually exist in the indexed data. The regex you write needs to match a single token that was generated by the tokenizer for your field.

You could accomplish something similar by checking for both terms, but I'm not sure that accomplishes exactly what you want: (note the lower-case L which is how the token gets formatted)

  "query": {
    "bool": {
      "must": [
        {
          "regexp":{
            "logmsg":"[0-9]{6}"
            }
        },
        {
          "regexp":{
            "logmsg":"login"
            }
        }
      ]
    }
  }

If you instead index your field as a keyword instead of a text field, then you can write your regular expression as you would expect:

system · September 14, 2017, 3:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.