Regexp for ES

ebdavison · May 15, 2020, 6:49pm

I have a regex that I have been using outside of elasticsearch and am needing to convert to a query:

(\sprivilege::|\ssekurlsa::|\scrypto::|\skerberos::|\slsadump::|\sprocess::)

I know from the documentation that the \s is out but I have a couple questions about rewriting this for ES:

Not getting any results with *privilege::*. But I do get results if I remove the ::. Why is that?
Do I need to query the field.keyword rather than the field?
Also no luck with the | operator. Does need to be written as multiple bool > should clauses?

Thanks in advance.

system · June 12, 2020, 6:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex queries possible? Elasticsearch	3	332	July 6, 2017
How to do regex search in ES Elasticsearch	1	371	July 6, 2017
Can someone please help me understand how ES handles literal '/' characters in regular expressions? Elasticsearch	2	454	July 6, 2017
Regex Query Elasticsearch	3	426	July 6, 2017
Regexp Query Not working Elasticsearch	8	623	July 6, 2017