Regex string from field value

ganchu · February 7, 2020, 8:55am

First query can find events included this string
"registry_key_path" : """HKCR\mscfile\shell\open\command\(Default)"""

GET _search
{
  "query": {
"query_string": {
  "query": "(registry_key_path:/.*mscfile.*/)"
}
  }
}

If I change query to below don't find anything.

Vadims_Daleckis · February 7, 2020, 1:34pm

I can confirm same happens for me. But this question seems to be specific to Elasticsearch, so I changed channel of this question from "Kibana" to "Elasticsearch".

Vadims_Daleckis · February 7, 2020, 1:47pm

If you run:

POST _analyze
{
  "text" : "HKCR\\mscfile\\shell\\open\\command\\(Default)"
}

you will see how Elasticsearch tokenizes the string:

{
  "tokens" : [
    {
      "token" : "hkcr",
      "start_offset" : 0,
      "end_offset" : 4,
      "type" : "<ALPHANUM>",
      "position" : 0
    },
    {
      "token" : "mscfile",
      "start_offset" : 5,
      "end_offset" : 12,
      "type" : "<ALPHANUM>",
      "position" : 1
    },
    {
      "token" : "shell",
      "start_offset" : 13,
      "end_offset" : 18,
      "type" : "<ALPHANUM>",
      "position" : 2
    },
    {
      "token" : "open",
      "start_offset" : 19,
      "end_offset" : 23,
      "type" : "<ALPHANUM>",
      "position" : 3
    },
    {
      "token" : "command",
      "start_offset" : 24,
      "end_offset" : 31,
      "type" : "<ALPHANUM>",
      "position" : 4
    },
    {
      "token" : "default",
      "start_offset" : 33,
      "end_offset" : 40,
      "type" : "<ALPHANUM>",
      "position" : 5
    }
  ]
}

My guess is it has to do with how regular expressions work with those tokens, if you AND two separate queries like that it fetches your document:

GET _search
{
  "query": {
"query_string": {
  "query": "(registry_key_path:/.*mscfile.*/) AND (registry_key_path:/.*shell.*/)"
}
  }
}

I realize it does solve your questions, but maybe it helps, and maybe somebody from Elasticsearch can chime in here.

Vadims_Daleckis · February 7, 2020, 1:51pm

Setting analyzer to keyword allowed me to successfully execute your query:

PUT /test
{
  "settings": {
    "analysis" : {
      "analyzer" : {
        "default" : {
          "type" : "keyword"
        }
      }
    }
  }
}

POST /test/_doc/
{
    "user" : "kimchy",
    "registry_key_path" : "HKCR\\mscfile\\shell\\open\\command\\(Default)"
}

GET /test/_search
{
  "query": {
    "query_string": {
      "query": "(registry_key_path:/.*mscfile.*shell.*/)"
    }
  }
}

Mark_Harwood · February 7, 2020, 1:53pm

Duplicate post

See my comments re performance

Vadims_Daleckis · February 7, 2020, 1:54pm

POST _analyze
{
  "text" : "HKCR\\mscfile\\shell\\open\\command\\(Default)",
  "analyzer" : "keyword"
}

result:

{
  "tokens" : [
    {
      "token" : """HKCR\mscfile\shell\open\command\(Default)""",
      "start_offset" : 0,
      "end_offset" : 41,
      "type" : "word",
      "position" : 0
    }
  ]
}

system · March 6, 2020, 1:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.