Regexp for Mac Addresses

So, I have a keyword field (yes, type is keyword as well, not just the name) that I want to match against MAC addresses.
The field contains just the MAC address and nothing else, so anchoring is not a problem.

However, a query like

  "query": {
    "regexp": {
      "winlog.event_data.TargetUserName.keyword": {
        "value": "([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})"

returns no results, even when I know for sure that it should.

Obviously, there is some problem with that regex in combination with elasticsearch, because works as supposed.

Any ideas why this isn't working?

This uses the lucene regular expression engine, which is not PCRE compatible.


You can also read about it here

This expression worked for me, but maybe I am missing something: ([0-9A-Fa-f]{2}[:]){5}[0-9A-Fa-f]{2}

Yes, your version indeed works. Which leaves me kinda puzzled. The only difference is that I have a set of separators ('-' and ': ') and you are using just colons. So actually you don't even have to use a set and could simplify it to ([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2}) .
Anyways, I don't understand why my regex wouldn't work, Perl compliant or not.

Your original one may not have worked because of the - in the range. The regex engine may have thought that was indicating a range (like [0-9]) instead of just a character.
If you want to match special characters, you need to escape them with (I think) a \. Try [:\-], or maybe even just have the - as the first character in the group so the engine may not consider it as a range identifier ([-:]).
I haven't tested these - it's just based on experience.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.