Hi all,
I'm trying to use a wildcard query inside my watcher to look for either or one of the following:
"wildcard": {
"raw_event_log": [
"*{ :;};*",
"*/bin/*"
]
Is this the correct syntax?
have you tried running the query outside of a watch and checked if it returns the correct results?
I am not sure, what the exact question here is? It's hard to say from the outside if a query is correct, as it is hard to say what results you are expecting to get back. Putting this in a regular query will at least immediately show you, if there is a syntax error or something similar. All in all, judging by this query, I would think that preprocessing might be a better strategy in this case.
--Alex
Hi @spinscale again!
So, I ran the query below outside the watcher and I get an error (of course).
{
"query": {
"wildcard": {
"command": [
"*systeminfo*",
"*ipconfig*",
"*tasklist*"
]
}
}
}
The aim of the query is to bring back any message that have any of the following strings: systeminfo, ipconfig, tasklist.
The reason I need the wildcard is because there may be something additonal such as "systeminfo | findstr /B /C:”OS Name” /C:”OS Version”"
And just searching for "systeminfo" as a term wouldn't bring this back.
If any of these events inside the command field match the query I want it to execute.
This is the error I get:
{
"error": {
"root_cause": [
{
"type": "illegal_state_exception",
"reason": "Can't get text on a START_ARRAY at 4:32"
}
],
"type": "illegal_state_exception",
"reason": "Can't get text on a START_ARRAY at 4:32"
},
"status": 500
}
I'm not sure if the wildcard is the right way to go around this.
I could use "should", but that would mean that it would execute regardless of if it matches.. Confused 
This works and brings back the correct results, but it is only for one. I need a list of possible commands and Im not sure how to achieve it.
{
"query": {
"wildcard": {
"command": "*systeminfo*"
}
}
}
Also please note that this works...
{
"query": {
"terms": {
"command": [
"systeminfo",
"ipconfig",
"tasklist"
]
}
}
}I found a solution that I'll write up for anyone that is looking for a solution.
I don't think wildcard can be used to search for an array.
Instead I used a query with logical operators and I think its working 
{
"query": {
"query_string" : {
"query": "(command:syteminfo* OR command:ipconfig* OR command:tasklist*)"
}
}
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.