Regexp for ES

ebdavison · May 15, 2020, 6:49pm

I have a regex that I have been using outside of elasticsearch and am needing to convert to a query:

(\sprivilege::|\ssekurlsa::|\scrypto::|\skerberos::|\slsadump::|\sprocess::)

I know from the documentation that the \s is out but I have a couple questions about rewriting this for ES:

Not getting any results with *privilege::*. But I do get results if I remove the ::. Why is that?
Do I need to query the field.keyword rather than the field?
Also no luck with the | operator. Does need to be written as multiple bool > should clauses?

Thanks in advance.

system · June 12, 2020, 6:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.