Regexp for ES

ebdavison · May 15, 2020, 6:49pm

I have a regex that I have been using outside of elasticsearch and am needing to convert to a query:

(\sprivilege::|\ssekurlsa::|\scrypto::|\skerberos::|\slsadump::|\sprocess::)

I know from the documentation that the \s is out but I have a couple questions about rewriting this for ES:

Not getting any results with *privilege::*. But I do get results if I remove the ::. Why is that?
Do I need to query the field.keyword rather than the field?
Also no luck with the | operator. Does need to be written as multiple bool > should clauses?

Thanks in advance.

system · June 12, 2020, 6:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to do regex search in ES Elasticsearch	1	341	July 6, 2017
ES regexp not working properly Elasticsearch	4	1219	March 15, 2021
Help: Elasticsearch Regexp query Elasticsearch	7	1285	December 3, 2020
Regexp/wildcard with slash in data does not work (ES 5.0) Elasticsearch	2	954	December 28, 2016
Regexp matches when it shouldn't, doesn't match when it should Elasticsearch	4	885	August 21, 2017