Hi, still pretty new to Kibana and getting to know it. Running Elastic 6.5.4.
I have auditbeat watching a directory and sending information across and all appears to be working OK.
We want to capture everything, but then create filters to remove 'noise'.
I'm guessing that there is a better way of writing filters than just on the discover such as Dev Tools and I'd love to try it, but cannot yet quite see how to go from Discover to that panel with my current (working!) single line search.
I'd like to also ensure that it is written efficiently to keep processing to a minimum.
One of the hiccups is that the queries do not seem to be able to handle paths as everything I need to filter out is path based. So my current filter is......
(process.cwd:((\/PTC\/ AND \/code\/) NOT \/scan\/) OR auditd.data.name:((\/PTC\/ AND \/code\/) NOT \/scan\/) OR auditd.paths.name:((\/PTC\/ AND \/code\/) NOT \/scan\/) OR auditd.messages:((\/PTC\/ AND \/code\/) NOT \/scan\/) OR file.path:((\/PTC\/ AND \/code\/) NOT \/scan\/) OR auditd.summary.object.primary:((\/PTC\/ AND \/code\/) NOT \/scan\/)) NOT process.exe:(\/home\/ AND \/AST_Home\/) NOT process.title:((\/-Dcsar.home\/) OR (\/usr\/local\/bin\/wicked-cli) OR (\/scan_tools\/)) NOT process.exe:(\/7z\/)
This is not the easiest thing to write or read or whatever, hence why I'd like to convert it through the Dev Tool.
Will give it a go when I get a chance, just wanted to see if anyone was bored and be able to give me a head start!
Thanks in advance. N
