Regex Search in Kibana Elasticsearch

Question

I am trying to use regex in a search within the message of an elastic search dataset. For some reason, I am not able to pass anything in the search bar that the engine doesn't yell at me for.

I am trying to select a triplet of XXX.XX digits of the form. XXX.XX,XXX.XX,XXX.XX and no matter what I try the engine keeps erroring on me.

Here is my query

message: /<000-999>/

which gives me the following error.

KQLSyntaxError: Expected AND, OR, end of input, whitespace but "<" found. message: "DWP_Magnet, Value: " AND message: /<000-999>/

I have read the documentation and my data definitely contains values that I am trying to specify, i.e

Value: 311.23, 144.00, 155.01

can anyone give me any insights? is there a way to use Lucene regex to create the following expression?

/d{3}\.\d{2}

Answer 1

You can simply wrap your regex in forward slashes like this:

message: /[0-9]{3}\.[0-9]{2}/

But I think you already knew this. Maybe it's just unclear about what regex you need--this is a very common circumstance with regex.

EDIT 1: Note that Elasticsearch uses Lucene and not the Perl Compatible Regular Expressions (PCRE) library, so I believe using 'd' is not possible to match a single digit.

EDIT 2: Useful link.

Answer 2

The Kibana search bar expects a KQL (Kibana Query Language) expression by default. That expression language doesn't yet support regular expressions.

You need to switch from KQL to the Lucene expression language which does support regular expressions by clicking on the KQL popup located at the end of the search bar.

Then you can use the regular expression, such as the one provided by @unigeek:

message: /[0-9]{3}\.[0-9]{2}/