Elasticsearch7 query match_phrase with IP or Number does not work

Question

I am trying to parse an error message in ES7. The message contains IPs and Numbers. I tried with regex and with simple search inserting the first part of the IP. Both are not working.

This my simple match_phrase query. The query works fine until "IP", but, as soon as I extend the query to the first number in IP I get 0 matches:

"match_phrase": {
            "mylog.messages": {"query": "The device with IP 127."}}

My regex query gives me a 400 error:

"regexp": {"mylog.messages": {"value":"The device with IP /[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}/"}}

Any advice on how to match IPs in error messages are welcome. Thanks

score 0 · Answer 1 · answered Oct 28 '22 at 10:54

0

Ip address will not work with match pharse. You will need custom analyzer to make it work with match pharse

I have corrected your regex. You can get more info on supported regex syntax from here

{
  "query": {
    "regexp": {
      "messages.keyword": {
        "value": "The device with IP [0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"
      }
    }
  }
}

answered Oct 28 '22 at 10:54

jaspreet chahal

8,817
2
11
29

Thanks for correcting the regex...but I am still getting 0 match :( – Furin Oct 28 '22 at 11:30
@Furin you are searching on keyword field? – jaspreet chahal Oct 28 '22 at 11:39
I tried both with and without, I get the same results: 0 :( – Furin Oct 28 '22 at 11:45
@Furin can you add sample document – jaspreet chahal Oct 28 '22 at 11:49
Unfortunately I can't – Furin Oct 28 '22 at 11:56
@Furin can you add sample ip value . I think ip regex is incorrect – jaspreet chahal Oct 28 '22 at 12:41
This is how the IP presents itself: "Some error message (70.70.0.70 , portnr)" – Furin Oct 28 '22 at 13:00
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/249139/discussion-between-jaspreet-chahal-and-furin). – jaspreet chahal Oct 28 '22 at 13:15

Elasticsearch7 query match_phrase with IP or Number does not work

1 Answers1