Regexp for Mac Addresses

So, I have a keyword field (yes, type is keyword as well, not just the name) that I want to match against MAC addresses.
The field contains just the MAC address and nothing else, so anchoring is not a problem.

However, a query like

{
  "query": {
    "regexp": {
      "winlog.event_data.TargetUserName.keyword": {
        "value": "([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})"
      }
    }
  }
}

returns no results, even when I know for sure that it should.

Obviously, there is some problem with that regex in combination with elasticsearch, because https://regex101.com/r/xtEKPs/1 works as supposed.

Any ideas why this isn't working?

This uses the lucene regular expression engine, which is not PCRE compatible.

See https://www.elastic.co/guide/en/elasticsearch/reference/7.1/query-dsl-regexp-query.html#regexp-syntax

You can also read about it here https://lucene.apache.org/core/8_0_0/core/org/apache/lucene/util/automaton/RegExp.html

This expression worked for me, but maybe I am missing something: ([0-9A-Fa-f]{2}[:]){5}[0-9A-Fa-f]{2}

Yes, your version indeed works. Which leaves me kinda puzzled. The only difference is that I have a set of separators ('-' and ': ') and you are using just colons. So actually you don't even have to use a set and could simplify it to ([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2}) .
Anyways, I don't understand why my regex wouldn't work, Perl compliant or not.

Your original one may not have worked because of the - in the range. The regex engine may have thought that was indicating a range (like [0-9]) instead of just a character.
If you want to match special characters, you need to escape them with (I think) a \. Try [:\-], or maybe even just have the - as the first character in the group so the engine may not consider it as a range identifier ([-:]).
I haven't tested these - it's just based on experience.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.