Filter for a minus value in kibana

Elastic Stack Kibana
1

I try to filter for a "-" in winlog.event_data.SidHistory field (logs from winlogbeat). I have 7.2 ELK Stack.
Filtering with filters from graphical interface simply doesn't work

00
Снимок экрана 2019-09-30 в 16.38.00.png751×632 58.6 KB

I try to escape - with \ and it seems, that it works:
NOT winlog.event_data.SidHistory:"-"
30
Снимок экрана 2019-09-30 в 16.41.30.png910×210 20.9 KB

But if i add something to query - it doesn't work again:
winlog.event_id:"4738" AND NOT winlog.event_data.SidHistory:"-"
19
Снимок экрана 2019-09-30 в 16.42.19.png751×596 59 KB

So, why??)

2

Kibana will show "-" for empty or null. If you get a chance to expand the table and click on the JSON tab, can you check what the raw value for the field is? We may be able to use the "is empty" filter.

3

I check the answer in JSON (Inspect->Response) and it is "-" value.
03
By the way, i use all possible filters and it still doesn't work. Also i use (Zoom out) icon - so i think it must exclude SidHistory, whatever value it has..

37
Снимок экрана 2019-10-01 в 11.11.37.png858×657 54 KB

4

Hello, @jbudz
Do you have any comments?

5

@elastic, do you have any solution?

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.