I am trying to create a saved search that excludes certain root domains in DNS queries. For example, if I don't want to see any hits on any of Google's subdomains, I create a query like "NOT query: "*.google.com." However, I can still see subdomains when this query is applied.
I have tried to edit the DSL myself in a few ways, but even if I create a query with the "Edit Filter" tool, and then go into the DSL and just add a "*." to the beginning of the "query:" option, Kibana tells me there is an error (several errors). I did some research on DSL and tried to write a query from scratch like the below, and it blew up in the same fashion:
{
"query": {
"must_not": {
"query": "*.google.com",
"analyze_wildcard": true
}
}
}
The user in the following URL had a similar issue, but doesn't appear to have been able to resolve it.
I am running 6.7.2 at the moment. Does anyone see an obvious flaw in what I'm doing?