Regexp for ES

ebdavison · May 15, 2020, 6:49pm

I have a regex that I have been using outside of elasticsearch and am needing to convert to a query:

(\sprivilege::|\ssekurlsa::|\scrypto::|\skerberos::|\slsadump::|\sprocess::)

I know from the documentation that the \s is out but I have a couple questions about rewriting this for ES:

Not getting any results with *privilege::*. But I do get results if I remove the ::. Why is that?
Do I need to query the field.keyword rather than the field?
Also no luck with the | operator. Does need to be written as multiple bool > should clauses?

Thanks in advance.

system · June 12, 2020, 6:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ES regexp not working properly Elasticsearch	4	1206	March 15, 2021
Help: Elasticsearch Regexp query Elasticsearch	7	1267	December 3, 2020
Regexp/wildcard with slash in data does not work (ES 5.0) Elasticsearch	2	954	December 28, 2016
Regular Expression doesn't work Elasticsearch	2	374	April 25, 2019
Forward slashes not matching in regexp query Elasticsearch	4	6603	March 9, 2018