Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Is it possible to use regular expression in filter ?

See original GitHub issue

hi all,

I try to using regular expression in my rule as below, it’s will alert when id is 1.1 and msg contain type.24:6

 filter:
 - and:
    - term:
         id: "1.1"
   - query:
        query_string:
            query: "msg:\"Type.[0-9]{1,2}\\:6\""

but it’s cannot alert ,Is it possible to use regular expression in filter ?

Thanks by advance

Issue Analytics

State:
Created 7 years ago
Comments:24 (11 by maintainers)

Top GitHub Comments

1reaction

alankiscommented, Nov 9, 2018

@abhishekjiitr What about using complex queries like this one below:

filter:
- query:
    query_string:
      query: "beat.hostname: some.hostname  AND system.process.name: java AND system.process.cmdline: /*java*/ AND system.process.cmdline: /*org\.apache\.spark\.deploy\.master\.Master*/"
      analyze_wildcard: true

I am getting the same error ‘found unknown escape character’.

Edit: Each of reserved characters should be escaped. So the last line should look like this:

filter: 
- query:
    query_string:
      query: "system.process.cmdline: /*org/.apache/.spark/.deploy/.master/.Master/*"
      analyze_wildcard: true

0reactions

Qmandocommented, May 14, 2019

Is field analyzed? If so, you’ll definitely need field.raw or field.keyword. I would have tried option # 1 so if that doesn’t work I can’t help you.