Currently on Elastic Stack 6.3.0. We (for now) use rsyslog as a central log collection and that server sends it in json format to Elastic Stack. All that is working good except I'm trying to filter out system login(s) by saying not to show UserName if it has a $ at the end of it such as DOMAIN\MYLAPTOP$.
I've tried doing
UserName:*$* and setting it to exclude but it still shows it up. If I drop it in the logstash configuration file it drops fine. Any ideas?