I have written a Lucene query and a KQL to show "puppet-disabled" and exclude values that contain "CHG", "INC" and "EXC" in the message field. However, all returned results include "puppet-disabled" text and the supposedly excluded values as well ("CHG", "INC" and "EXC"), meaning excluding doesn't work. Can anyone tell me why this is happening and how to achieve this or what I am doing wrong?
Here are relevant pieces from the queries (they both produce same results):
message:"puppet-disabled" AND NOT message:/.(CHG|INC|EXC)[0-9]{7}./
message:"puppet-disabled" and not message: ("CHG" or "INC" or "EXC")
Thank you very much for the suggestion. This was actually the version of my query and it indeed works as intended. However, when I wanted to push the rule to GitLab repository, the job failed due to reason given: "Unable to perform wildcard on field message of text". I thought this was due to the the field's characteristics.
GitLab job. When I pushed the rule to GitLab, it failed with "Unable to perform wildcard on field message of text". It might be GitLab related, but I was wondering if this was due to the the field's characteristics.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.