Elasticsearch Script Regex is Enabled in Painless Scripts

Elasticsearch Script Regex is Enabled in Painless Scripts

Opster Team

March 2021

In addition to reading this guide, we recommend you run the Elasticsearch Health Check-Up. It will detect issues and improve your Elasticsearch performance by analyzing your shard sizes, threadpools, memory, snapshots, disk watermarks and more.

The Elasticsearch Check-Up is free and requires no installation.

Run the Elasticsearch check-up to receive recommendations like this:

checklist Run Check-Up

The following configuration error was detected on node 123...



This error can have a severe impact on your system. It's important to understand that it was caused by...



In order to resolve this issue and prevent it from occurring again, we recommend that you begin by changing the configuration to...


X-PUT curl -H "Content-Type: application/json" [customized recommendation]


Regex (short for regular expression) refers to a technique for searching using a sequence of characters defining a search pattern. For example, gray|grey would find both words gray and grey. Regex must be used with care in painless scripts, since some expressions can be extremely slow and require a great deal of resources to run. For this reason regex is disabled by default in painless scripts.

 If you decide to enable regex, remember the following best practices: expressions should use anchors (^ or $) to denominate the beginning or end of the text string wherever possible and should never have a leading wildcard (*) (or just 1 character and wildcard) since this implies searching through all of the terms in the set. In general you should also try to be as specific as possible with which and how many characters can match.

For a full article on how to write good regex, please see: Regexes: the Bad, the Better, and the Best

How to resolve it

By default regex is disabled in Elasticsearch, so if it has been enabled on your cluster, there may be a reason for that. Bear in mind that the use of regex – if properly implemented – is perfectly legitimate. Check the scripts that are in use in your application to determine if regex is being used. You can search for the painless regex operator “=~”.

To prevent regex scripts being used altogether you can restore the default setting on all of your nodes in elasticsearch.yml (it cannot be updated dynamically):

script.painless.regex.enabled: false

Run the Check-Up to get a customized report like this:

Analyze your cluster