Elasticsearch - behavior of regexp query against a non-analyzed field

Question

What is the default behavior for a regexp query against a non-analyzed field? Also, is that the same answer when dealing with .raw fields?

After everything i've read, i understand the following. 1. RegExp queries will work on analyzed and non-analyzed fields. 2. A regexp query should work across the entire phrase rather than just matching on a single token in non-analyzed fields. Here's the problem though. I can not actually get this to work. I've tried it across multiple fields.

The setup i'm working with is a stock elk install and i'm dumping pfsense and snort logs into it with a basic parser. I'm currently on Kibana 4.3 and ES 2.1

I did a query to look at the mapping for one of the fields and it indicates it is not_analyzed, yet the regex does not work across the entire field.

"description": {
  "type": "string",
  "norms": {
    "enabled": false
  },
  "fields": {
    "raw": {
      "type": "string",
      "index": "not_analyzed",
      "ignore_above": 256
    }
  }
}

What am i missing here?

Answer 1

• if a field is non-analyzed, the field is only a single token.
• It's same answer when dealing with .raw fields, at least in my work.

• You can use groovy script:

  matcher = (doc[fields.raw].value =~ /${pattern}/ );
  if(matcher.matches()) {
  matcher.group(matchname)}

you can pass pattern and matchname in params.

What's meaning of tried it across multiple fields.? If your situation is more complex, maybe you could make a native java plugin.

UPDATE

{
  "script_fields" : {
    "regexp_field" : {
      "script" : "matcher = (doc[fieldname].value =~ /${pattern}/ );if(matcher.matches()) {matcher.group(matchname)}",
      "params" : {
        "pattern" : "your pattern",
        "matchname" : "your match",
        "fieldname" : "fields.raw"
      }
    }
  }
}