Search | Query Syntax | Regular expressions

The regex syntax this field accepts is the Elasticsearch regular expression syntax.

The main peculiarities of the Elasticsearch DSL query syntax are:

• Anchors – ^ and $ – are implied at the beginning and at the end of the regex.

  Do not include them in the regex pattern input.

• If you insert explicit anchor characters in the value input field, they are interpreted as literal values.

• Escape special characters:

  ( . ? + | { } [ ] ( ) " \ / )
  

  To escape a special character, prepend a backslash \ to it.

  Example: \{ \}

  Note

  At the moment, Elasticsearch regular expression syntax optional operators are not supported.

  Note

  Although the regex syntax used in the UI of the Intelligence Center is that of ElasticSearch, the regex syntax used by EclecticIQ Intelligence Center’s ingestion engine is Python regex. In the vast majority of cases this does not lead to conflicts, but if your discovery rule is not working the way you want it to, this may be the reason.

  Here are two differences that commonly cause problems:

  • ElasticSearch searches for whole strings, while Python searches everywhere in a string. For example,

    • Input: Cert-BUND

    • Pattern: ert

    • ES result:

    • Python: will match

  • ElasticSearch regex syntax requires you to leave out anchors, whereas Python regex syntax requires you to include them.

  If you are experiencing problems in this area, contact Customer Support for help in writing the discovery rule you want.