1

Im trying to regex search an elasticsearch database.

My query so far (its not working):

#!/usr/bin/env bash

curl -XGET 'http://localhost:9200/logstash-2015.10.27/_search' -d \
'{
   query: {
     "regexp": {
       "@timestamp": {
          value: ".*"
        }
     }
  }
}' | python -m json.tool

and the results im getting are 

{
    "error": "SearchPhaseExecutionException[Failed to execute phase [query], all shards failed; shardFailures {[DqJwlMoTQ3e8nyl4m7amGw][logstash-2015.10.27][0]: SearchParseException[[logstash-2015.10.27][0]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   query: {\n     \"regexp\": {\n       \"@timestamp\": {\n          value: \".*\"\n        }\n     }\n  }\n}]]]; nested: IllegalArgumentException[Invalid format: \".*\"]; }{[DqJwlMoTQ3e8nyl4m7amGw][logstash-2015.10.27][1]: SearchParseException[[logstash-2015.10.27][1]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   query: {\n     \"regexp\": {\n       \"@timestamp\": {\n          value: \".*\"\n        }\n     }\n  }\n}]]]; nested: IllegalArgumentException[Invalid format: \".*\"]; }{[DqJwlMoTQ3e8nyl4m7amGw][logstash-2015.10.27][2]: SearchParseException[[logstash-2015.10.27][2]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   query: {\n     \"regexp\": {\n       \"@timestamp\": {\n          value: \".*\"\n        }\n     }\n  }\n}]]]; nested: IllegalArgumentException[Invalid format: \".*\"]; }{[DqJwlMoTQ3e8nyl4m7amGw][logstash-2015.10.27][3]: SearchParseException[[logstash-2015.10.27][3]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   query: {\n     \"regexp\": {\n       \"@timestamp\": {\n          value: \".*\"\n        }\n     }\n  }\n}]]]; nested: IllegalArgumentException[Invalid format: \".*\"]; }{[DqJwlMoTQ3e8nyl4m7amGw][logstash-2015.10.27][4]: SearchParseException[[logstash-2015.10.27][4]: from[-1],size[-1]: Parse Failure [Failed to parse source [{\n   query: {\n     \"regexp\": {\n       \"@timestamp\": {\n          value: \".*\"\n        }\n     }\n  }\n}]]]; nested: IllegalArgumentException[Invalid format: \".*\"]; }]",
    "status": 400
}

The event that im trying to find is this

{
    "_index": "logstash-2015.10.27",
    "_type": "logs",
    "_id": "AVCml4MI2xxzjEtiGou0",
    "_version": 1,
    "_score": null,
    "_source": {
        "host": "server",
        "@timestamp": "2015-10-27T00:00:00.142Z",
        "type_instance": "free",
        "plugin": "exec",
        "plugin_instance": "available_memory",
        "collectd_type": "gauge",
        "value": 855,
        "@version": "1"
    },
    "sort": [
        1445904000142
    ]
}

i've googled things but w/o any luck.

======== update ==========

i managed to query my elasticsearch with this

#!/usr/bin/env bash

curl -XPOST 'http://localhost:9200/logstash-2015.10.27/_search' -d '
{
    "query": {
        "bool": {
          "must": { "range" : { "@timestamp" : { "gte" : "2015-10-27T00:00:01", "lte" : "2015-10-27T00:00:59"} }},
          "must": {"regexp" : { "host": "d027.*" }}
        }
    }
}'
Improve this question
1
  • You need to wrap query and value in double quotes: ES strictly wants json Commented Oct 28, 2015 at 22:18

1 Answer 1

Reset to default
2

regexp works for string fields. The date fields are actually numbers in Elasticsearch.

For date searching I recommend the range filter: https://www.elastic.co/guide/en/elasticsearch/guide/current/_ranges.html#_ranges_on_dates

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.