Hello, i need help with a regexp query. I am trying to filter OUT computers from the winlogbeat event_data.TargetUserName field. I believe this is an elasticsearch query syntax problem, not a kibana or winlogbeat problem which is why i posted here, feel free to move me if more appropriate.
my query is trying to filter anything that ends in a $ (dollar) sign. I have tried.
In normal regex syntax the $ is escaped, however the docs (which i have read) no where say that the $ needs escaping. They do talk about a list of other characters but not the $ though.
Anyway yes i have tried escaping.
The filter above is my full filter example. I am not sure what else to show you?
I actually forgot the most important thing. Have you changed your mapping to not drop characters like a dollar sign? If you use the standard analyzer then this happens
As you can see, the dollar sign is removed from the input. So the dollar sign is never stored in the inverted index you are running the query against - and thus you dont get any results. You need to pick an analyzer which keeps those characters (you can try the whitespace analyzer for testing, but it has vastly different characteristics, you probably do not want to go with that one).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.