Regular Expression doesn't work

haythem_Arfaoui · March 14, 2019, 2:42pm

Hello everyone,

I have a old regex query that doesn't work for me :

> C:\\Windows\\SYSTEM32\\ntdll\.dll\+[a-zA-Z0-9]{1,}\|C:\\Windows\\system32\\KERNELBASE\.dll\+[a-zA-Z0-9]{1,}\|UNKNOWN\([a-zA-Z0-9]{16}\)

and you can find in the picture below that i have after the name of the dll file a random characters so i need a regular expression to match the query

I have both Kibana and Elasticsearch version 6.6.1

HenningAndersen · March 28, 2019, 12:58pm

Hi @haythem_Arfaoui,

The regexp looks OK. I can think of two possible problems:

event_data.CallTrace is analyzed. If so, the regexp tries to match individual terms, not the full text.
The regexp will need JSON escaping to pass through JSON.

Following worked for me in kibana:

{ "query" : { "regexp" : { "windows.keyword" : "C:\\\\Windows\\\\SYSTEM32\\\\ntdll\\.dll\\+[a-zA-Z0-9]{1,}\\|C:\\\\Windows\\\\system32\\\\KERNELBASE\\.dll\\+[a-zA-Z0-9]{1,}\\|UNKNOWN\\([a-zA-Z0-9]{16}\\)" } } }

Notice that all backslashes are escaped an extra time due to JSON format.

system · April 25, 2019, 12:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.