Scripted fields - regex always return false

Jean-Christophe_Hege · August 25, 2017, 10:28am

I get some technical emails from many machines. In order to sort them out, if put a [hostname|ip] string either in "from" field, or in the subject.

While I'm trying to write a scripted field to extract them, regex (m.matches()) always return false (.* return false as well). I did enable the "script.painless.regex.enabled: true" option.

Anyone has an idea of what's going wrong ?

I'm using ES and Kibana 5.5.2.

Sample code:

def m = /(.*)/.matcher(doc['from.keyword'].value);
if (m.matches ()) {
return m.group(1)
} else {
return doc['from.keyword'].value
}

ppisljar · August 25, 2017, 11:12am

take a look at this blogpost where regex matching is described:

Jean-Christophe_Hege · August 25, 2017, 12:07pm

If you have a look on my example, this is exactly what I have done. But no success.

ppisljar · August 28, 2017, 9:48am

just tested this and it works as expected ....

some hints to find out the issue:

are you enabling painless regex in elasticsearch.yml ? (not the kibana.yml)
did you set scripted field type to string (default is integer)
do you have the right field ? what about from.raw ?

Jean-Christophe_Hege · August 28, 2017, 3:25pm

I did place "script.painless.regex.enabled: true" in /etc/elasticsearch/elasticsearch.yml (Debian), as documented.
The field "from" is discovered and set as "string".
Allthough "from.raw" does not exist (No field found for [from.raw]), and ES did ask to use "from.keyword" instead of "from"

Anyway "m.matches()" always return false.

system · September 25, 2017, 3:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.