I am trying to create a saved search that excludes certain root domains in DNS queries. For example, if I don't want to see any hits on any of Google's subdomains, I create a query like "NOT query: "*.google.com." However, I can still see subdomains when this query is applied.
I have tried to edit the DSL myself in a few ways, but even if I create a query with the "Edit Filter" tool, and then go into the DSL and just add a "*." to the beginning of the "query:" option, Kibana tells me there is an error (several errors). I did some research on DSL and tried to write a query from scratch like the below, and it blew up in the same fashion:
Leading wildcard query is one of the most inefficient, if not THE most inefficient, query you can write in Elasticsearch, so is likely to scale and perform badly. I would instead recommend extracting and storing the domain in a separate field at index time and instead filter on this as this will be MUCH more efficient.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.