Hello everyone,
I have a old regex query that doesn't work for me :
> C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-zA-Z0-9]{1,}\|C:\\Windows\\system32\\KERNELBASE\.dll\+[a-zA-Z0-9]{1,}\|UNKNOWN\([a-zA-Z0-9]{16}\)
and you can find in the picture below that i have after the name of the dll file a random characters so i need a regular expression to match the query
I have both Kibana and Elasticsearch version 6.6.1
Hi @haythem_Arfaoui ,
The regexp looks OK. I can think of two possible problems:
event_data.CallTrace is analyzed. If so, the regexp tries to match individual terms, not the full text.
The regexp will need JSON escaping to pass through JSON.
Following worked for me in kibana:
{ "query" : { "regexp" : { "windows.keyword" : "C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-zA-Z0-9]{1,}\\|C:\\\\Windows\\\\system32\\\\KERNELBASE\\.dll\\+[a-zA-Z0-9]{1,}\\|UNKNOWN\\([a-zA-Z0-9]{16}\\)" } } }
Notice that all backslashes are escaped an extra time due to JSON format.
system
(system)
Closed
April 25, 2019, 12:58pm
3
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.