There are two ways to perform regex matching with Elasticsearch and both require multi-fields <http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/mapping-multi-field-type.html> .
The first way is to create a not_analyzed subfield like on the link above and query it like message.untouched:/this.*string/ (or whatever Kibana's query language is). not_analyzed has the problem of emitting hugely long tokens which lucene can complain about. So you have to set ignore_above and it won't work for long strings. The other way isn't integrated into Kibana, may be slower for short strings (I'm not sure) but works for longer strings. The wikimedia-extra <https://github.com/wikimedia/search-extra> plugin has a thing called source_regex which does a two pass regex search. The first pass does a pile of term queries to try and filter down the index to candidate docs and the second pass just loads the strings from source and runs the regex against them. I suspect the first one will work for you but I'm including the second for posterity. Nik On Tue, Jan 6, 2015 at 3:50 AM, Amit <[email protected]> wrote: > The default analyzer is standard. If I change it to keyword I can get > regex working. But I want both to work simultaneously. > For ex, Lets say I push this event to elasticsearch via logstash "this is > my new string". > In kibana search, > If I look for message:"string", it should return me "this is my new > string" > If I look for message:"this.*string", it should return me "this is my new > string" > > How should I configure my index? If I mark the field as "not_analyzed" > search for "new string" will fail. I want fix and regex to both work. Can I > get combination of keyword+standard analyzer to work? > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/108e209b-64ce-40b8-81f0-cd67b8b0fd77%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/108e209b-64ce-40b8-81f0-cd67b8b0fd77%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAPmjWd2eri80tPzVpnFTTGde-PwSYRUH30v0Upg_WS-SGmSR8Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
