Scripted fields - regex always return false

Elastic Stack Kibana
1

I get some technical emails from many machines. In order to sort them out, if put a [hostname|ip] string either in "from" field, or in the subject.

While I'm trying to write a scripted field to extract them, regex (m.matches()) always return false (.* return false as well). I did enable the "script.painless.regex.enabled: true" option.

Anyone has an idea of what's going wrong ?

I'm using ES and Kibana 5.5.2.

Sample code:

def m = /(.*)/.matcher(doc['from.keyword'].value);
if (m.matches ()) {
return m.group(1)
} else {
return doc['from.keyword'].value
}

2

take a look at this blogpost where regex matching is described:

3

If you have a look on my example, this is exactly what I have done. But no success.

4

just tested this and it works as expected ....

some hints to find out the issue:

  • are you enabling painless regex in elasticsearch.yml ? (not the kibana.yml)
  • did you set scripted field type to string (default is integer)
  • do you have the right field ? what about from.raw ?
5
  • I did place "script.painless.regex.enabled: true" in /etc/elasticsearch/elasticsearch.yml (Debian), as documented.
  • The field "from" is discovered and set as "string".
  • Allthough "from.raw" does not exist (No field found for [from.raw]), and ES did ask to use "from.keyword" instead of "from"

Anyway "m.matches()" always return false.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.