Regexp for ES

I have a regex that I have been using outside of elasticsearch and am needing to convert to a query:

(\sprivilege::|\ssekurlsa::|\scrypto::|\skerberos::|\slsadump::|\sprocess::)

I know from the documentation that the \s is out but I have a couple questions about rewriting this for ES:

  1. Not getting any results with *privilege::*. But I do get results if I remove the ::. Why is that?
  2. Do I need to query the field.keyword rather than the field?
  3. Also no luck with the | operator. Does need to be written as multiple bool > should clauses?

Thanks in advance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.