I am trying to determine if this is a bug before opening an Issue.
I am trying to create a query to return results when a field does not have any data.
These work and return results (but not what I'm looking for):
event.category:process and process.name:"rundll32.exe"
event.category:process and process.name:"rundll32.exe" and process.args:*
event.category:process and process.name:"rundll32.exe" and process.args_count>1
process.name:"rundll32.exe" and not process.args:*
I want to query when a process with a process name of rundll32.exe doesn't have any process arguments.
I've tried the following to only return processes but get an error each time:
event.category:process and process.name:"rundll32.exe" and not process.args:*
event.category:process and process.name:"rundll32.exe" and process.args_count<1
The error I get is:
Expected end of input but "n" found. process.name:"rundll32.exe" not process.args:* ----------------------------^
I have even tried to use a filter (process.args with a does not exist operator), same error.
This only appears to occur with the logs-* index pattern. The winlogbeat-* index pattern returns the expected results.
| Kibana Version | Platform | Data Source | Version |
|---|---|---|---|
| 7.14.0 | Elastic Cloud | Winlogbeat & Elastic Agent (w/Window int.) | 7.14.0 |
Logs-* (results, but not filtered to process)
process.name:"rundll32.exe" and not process.args:*
Logs-* (error, trying to only return processes)
event.category:process and process.name:"rundll32.exe" and not process.args:*
Winlogbeat (expected results, same query as Elastic Agent error)
event.category:process and process.name:"rundll32.exe" and not process.args:*
