How to use regexp and wildcard in query

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.11

Describe the issue:
I want to search/filter log entries froma an Index with regexp or wildcard.s
But I didn’t get i run…

I’ll try this in the devtools:

GET _search
{
“query”: {
“regexp”: {
“Message”: “ZPA”
}
}
}

and get back this (and it doesn’t matt how I use the regex-pattern, it doesn’t work):

{
“took”: 3,
“timed_out”: false,
“_shards”: {
“total”: 15,
“successful”: 15,
“skipped”: 0,
“failed”: 0
},
“hits”: {
“total”: {
“value”: 0,
“relation”: “eq”
},
“max_score”: null,
“hits”:
}
}

The only pattern, which works is “.*”, then I’ll get back this:

{
“took”: 15,
“timed_out”: false,
“_shards”: {
“total”: 15,
“successful”: 15,
“skipped”: 0,
“failed”: 0
},
“hits”: {
“total”: {
“value”: 10000,
“relation”: “gte”
},
“max_score”: 1,
“hits”: [
{
“_index”:…

I’ve already set

search.allow_expensive_queries": true

And I also don’t ge it run with PPL parse or eval …

Thanks a lot for any hints …

Hi @Juergen

Please try to add the name of your index before “_search” as in the query below:

GET your_index_name/_search
{
“query”: {
“regexp”: {
“Message”: “ZPA”
}
}
}

Hello @Eugene7 ,

thanks for your reply.
I guess, I’m in the correct index, because if I use the regex “.*” I get hits.
But not if I change the regex to soemthing other …

Update:

I changed the Get from

GET /_search

to

GET /myIndexName/_search

But it made no difference.

Could you share the content of the Message value that you tries to match with regexp ?

So, I got it My fault

• regexp works on a term-level-search
• so the query isn’t anlayzed
• I tried it to search a text-field.
• The text-field is analyzed. This means all letters are converted to lowaer-case

Conclusion: that’s not a good way to search.

Better is to use this search:

GET _search
{
“query”: {
“regexp”: {
“Message.keayword”: “.ZPA.”
}
}
}

Because keywords are also not analyzed
So they are also case-sensitive …

Sorry for disturbing you …