Using Regex in Query via Kibana

Richard_Raseley · April 3, 2014, 4:37pm

I am having some difficulty in accomplishing a task that should be pretty
straight-forward (based on my limited ES / Kibana knowledge) - using regex
as part of a query in Kibana.

Here (https://gist.github.com/richardraseley/e76716f07ed048f29c3e) is a
gist which contains (A) a sample record that I would like to match against
and (B) a sample query string that I think should match the value in the
'file' field (test of regex here: http://regex101.com/r/wE5zN5).

Can anyone provide feedback as to why I am not seeing the expected behavior
here?

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b9a7a4f8-cf75-4246-a393-6ceb2aa52fc0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Richard_Raseley · April 3, 2014, 5:32pm

On Thursday, April 3, 2014 9:37:45 AM UTC-7, Richard Raseley wrote:

I am having some difficulty in accomplishing a task that should be pretty
straight-forward (based on my limited ES / Kibana knowledge) - using regex
as part of a query in Kibana.

Here (gist:e76716f07ed048f29c3e · GitHub) is a
gist which contains (A) a sample record that I would like to match against
and (B) a sample query string that I think should match the value in the
'file' field (test of regex here: regex101: build, test, and debug regex).

Can anyone provide feedback as to why I am not seeing the expected
behavior here?

One note - the regex does work as part of a filter, but I would like it as
part of the base query.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/ffd1f914-5220-4b6d-b83a-04e3a9134c8a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Binh_Ly_2 · April 3, 2014, 9:52pm

Untested, but what happens if you do:

file.raw:/<your_regex>/

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/262bc436-e25e-452a-9eb1-836fbe055f87%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Richard_Raseley · April 3, 2014, 11:36pm

On Thursday, April 3, 2014 2:52:21 PM UTC-7, Binh Ly wrote:

Untested, but what happens if you do:

file.raw:/<your_regex>/

It returns no results.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/99d68cba-bda7-40fd-86be-d1df0574382b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Bill_Paulson · June 6, 2014, 8:56pm

I think the '$' on the end of the regex may cause trouble. Lucene regular expressions are already anchored to start and end of the string.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/65007509-daf5-49b7-8cfd-148921bab52c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Richard_Raseley · June 9, 2014, 4:13pm

Bill,

Thank you for taking the time to reply to this old thread. I can confirm
that removing the explicit end-anchor causes the query to work! Thanks so
much!

Regards,

Richard

On Fri, Jun 6, 2014 at 1:56 PM, Bill Paulson wpaulsonb@gmail.com wrote:

I think the '$' on the end of the regex may cause trouble. Lucene regular
expressions are already anchored to start and end of the string.

--
You received this message because you are subscribed to a topic in the
Google Groups "elasticsearch" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/elasticsearch/OoZv-zGGGpQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/65007509-daf5-49b7-8cfd-148921bab52c%40googlegroups.com
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAO%3D6ox9R7KxugY4s8XuZ5A7WHBAF411UyQ_fr%3D2uja0WRUSLMw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.