Discussion:
Regular expressions in Kibana
Robin Clarke
2014-03-06 08:41:21 UTC
Permalink
Is it possible to query or filter using regular expressions via Kibana?

I have documents with a field "user_email_domain" and I want to search for
all entries matching the regexp /^example\..*/
i.e.
example.com <- match
www.example <- miss
example-domain.com <- miss
example.co.uk <- match

Any ideas how to submit a query or filter like this via Kibana?
Cheers!
-Robin-
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
h***@public.gmane.org
2014-03-06 14:42:48 UTC
Permalink
Hi Robin,

I am using Kibana 3 milestone pre5. In this version (don't remember when
it became available), if you click on the colored dot in the query box, you
should see more options for the type of query, Lucene, TopN, and Regex,
along with some other options. Which version of Kibana are you running?
I've attached a screenshot of my view.

Anthony
Post by Robin Clarke
Is it possible to query or filter using regular expressions via Kibana?
I have documents with a field "user_email_domain" and I want to search for
all entries matching the regexp /^example\..*/
i.e.
example.com <- match
www.example <- miss
example-domain.com <- miss
example.co.uk <- match
Any ideas how to submit a query or filter like this via Kibana?
Cheers!
-Robin-
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Robin Clarke
2014-03-06 15:20:57 UTC
Permalink
Hi Anthony,

That's odd... I'm on the latest commit (db53cf3) (after v3.0.0milestone5),
have cleared browser cache, and I still only see TopN and Lucene...
Is there a regression, or am I doing something wrong?
If/when I get that to work, that's an interesting feature for queries,
But... queries generally have an "OR" relationship, where filters have an
"AND" relationship, and if I want to have regexp against two fields and
only see the results matching both of them, how would I do that?

Cheers,
-Robin-
Post by h***@public.gmane.org
Hi Robin,
I am using Kibana 3 milestone pre5. In this version (don't remember when
it became available), if you click on the colored dot in the query box, you
should see more options for the type of query, Lucene, TopN, and Regex,
along with some other options. Which version of Kibana are you running?
I've attached a screenshot of my view.
Anthony
Post by Robin Clarke
Is it possible to query or filter using regular expressions via Kibana?
I have documents with a field "user_email_domain" and I want to search
for all entries matching the regexp /^example\..*/
i.e.
example.com <- match
www.example <- miss
example-domain.com <- miss
example.co.uk <- match
Any ideas how to submit a query or filter like this via Kibana?
Cheers!
-Robin-
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to a topic in the
Google Groups "logstash-users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/logstash-users/5ljO93qeHzU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
For more options, visit https://groups.google.com/groups/opt_out.
--
Best winds,
-Robin-
~:)
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
h***@public.gmane.org
2014-03-06 16:45:14 UTC
Permalink
Looking at the help popup pertaining to the regex query in my version, it
states that it is used to allow you to use expressions to match terms in
the _all field. There was also this link provided:
http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl-regexp-query.html#regexp-syntax.

As a quick test, I was able to get an expression similar to the one you
provided with the query type set to Lucene. The pattern I used
was /test\.example\..*/ However, this was matching on the [message] field.
If I wanted to match on a specific field, I could also do
field:/test\.example\..*/ and got good results.

Matching on both field1 and field2 I could do something like
field1:/test\.example\..*/ && field2:/test\.example\..*/ but I'm not sure
if this is what you were looking for. I'm not sure if there is a way to
specify it like field1 && field2:/test\.example\..*/.

Anthony
Post by Robin Clarke
Hi Anthony,
That's odd... I'm on the latest commit (db53cf3) (after v3.0.0milestone5),
have cleared browser cache, and I still only see TopN and Lucene...
Is there a regression, or am I doing something wrong?
If/when I get that to work, that's an interesting feature for queries,
But... queries generally have an "OR" relationship, where filters have an
"AND" relationship, and if I want to have regexp against two fields and
only see the results matching both of them, how would I do that?
Cheers,
-Robin-
Post by h***@public.gmane.org
Hi Robin,
I am using Kibana 3 milestone pre5. In this version (don't remember when
it became available), if you click on the colored dot in the query box, you
should see more options for the type of query, Lucene, TopN, and Regex,
along with some other options. Which version of Kibana are you running?
I've attached a screenshot of my view.
Anthony
Post by Robin Clarke
Is it possible to query or filter using regular expressions via Kibana?
I have documents with a field "user_email_domain" and I want to search
for all entries matching the regexp /^example\..*/
i.e.
example.com <- match
www.example <- miss
example-domain.com <- miss
example.co.uk <- match
Any ideas how to submit a query or filter like this via Kibana?
Cheers!
-Robin-
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to a topic in the
Google Groups "logstash-users" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/logstash-users/5ljO93qeHzU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
For more options, visit https://groups.google.com/groups/opt_out.
--
Best winds,
-Robin-
~:)
--
Remember: if a new user has a bad time, it's a bug in logstash.
---
You received this message because you are subscribed to the Google Groups "logstash-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to logstash-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/***@public.gmane.org
For more options, visit https://groups.google.com/groups/opt_out.
Loading...