I have a regex that I have been using outside of elasticsearch and am needing to convert to a query:
(\sprivilege::|\ssekurlsa::|\scrypto::|\skerberos::|\slsadump::|\sprocess::)
I know from the documentation that the \s
is out but I have a couple questions about rewriting this for ES:
- Not getting any results with
*privilege::*
. But I do get results if I remove the::
. Why is that? - Do I need to query the
field.keyword
rather than thefield
? - Also no luck with the
|
operator. Does need to be written as multiplebool
>should
clauses?
Thanks in advance.