How to match text fields which ends with .s3.amazonaws.com using KQL?

shi · October 17, 2022, 6:15am

We are trying to match s3.amazonaws.com from the following text field which is indexed.

goto-desktop.s3.amazonaws.com

We found that

1. DNSQuery : *amazonaws*

matched amazonaws.com
goto-desktop.s3.amazonaws.com

2. DNSQuery : goto*

matched goto
goto-desktop.s3.amazonaws.com

3. DNSQuery : s3.amazonaws.com

matches amazonaws.com
goto-desktop.s3.amazonaws.com

4. DNSQuery : *desktop*

matches desktop.s3
goto-desktop.s3.amazonaws.com

5. DNSQuery : goto-desktop.s3.amazonaws.com

matches goto-desktop.s3.amazonaws.com
goto-desktop.s3.amazonaws.com

Please note that - and second . are not matched, but the first and third . matched.

How can we match any queries starting ending with s3.amazonaws.com only.

When we tried to match the following

goto-desktop.s3amazonaws.com

using

6. DNSQuery : *.s3.amazonaws.com

we don't get any match.

How can we match all the queries which ends with .s3.amazonaws.com ?

Stratoula_Kalafateli · October 17, 2022, 6:28am

Hey! Where exactly are you trying to filter documents with KQL in kibana? If you are using the search bar which is on the top of Discover, Dashboard and Lens applications

There are 2 ways to do it:

use the KQL bar and do something like:

text.keyword : *.s3.amazonaws.com

Create a DSL filter like that

{
  "query": {
    "query_string": {
      "fields": [
        "text.keyword"
      ],
      "query": "*.s3.amazonaws.com"
    }
  }
}

shi · October 17, 2022, 7:36am

When we searched on the keyword instead of the text field, it is working

Thank you

system · November 14, 2022, 7:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.