Regular Expression doesn't work

haythem_Arfaoui · March 14, 2019, 2:42pm

Hello everyone,

I have a old regex query that doesn't work for me :

> C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-zA-Z0-9]{1,}\|C:\\Windows\\system32\\KERNELBASE\.dll\+[a-zA-Z0-9]{1,}\|UNKNOWN\([a-zA-Z0-9]{16}\)

and you can find in the picture below that i have after the name of the dll file a random characters so i need a regular expression to match the query

I have both Kibana and Elasticsearch version 6.6.1

HenningAndersen · March 28, 2019, 12:58pm

Hi @haythem_Arfaoui,

The regexp looks OK. I can think of two possible problems:

event_data.CallTrace is analyzed. If so, the regexp tries to match individual terms, not the full text.
The regexp will need JSON escaping to pass through JSON.

Following worked for me in kibana:

{ "query" : { "regexp" : { "windows.keyword" : "C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-zA-Z0-9]{1,}\\|C:\\\\Windows\\\\system32\\\\KERNELBASE\\.dll\\+[a-zA-Z0-9]{1,}\\|UNKNOWN\\([a-zA-Z0-9]{16}\\)" } } }

Notice that all backslashes are escaped an extra time due to JSON format.

Topic		Replies	Views
Windows path (backslash-rich) regexp not working Elasticsearch	1	577	November 22, 2017
Regexp with DSL query Elasticsearch	1	205	August 31, 2022
Using regular expression Elasticsearch	2	325	May 16, 2019
Regular expression won't work when next to character that's been escaped Elasticsearch	3	350	July 17, 2019
Regex not working for strings containing special characters Elasticsearch	3	5464	July 6, 2017

Regular Expression doesn't work

Related topics