Hey there, im new to this elk world and im currently working on a threat hunting project with ELK/Zeek. My problem is, that i want for example to query for DNS.Length > 75 within zeek data. I know that its easy to do in splunk, but how to do it with KQL ? I cant find this variable there with lengt…

How to Query for length with elasticsearch (KQL)

ylasri (Yassine LASRI) December 29, 2020, 6:36pm 12

Painless is painfull try this

{
  "script": {
    "script": {
      "lang": "painless",
      "source": "if (doc['zeek.dns.query'].size() == 0) { return false;} else {return doc['zeek.dns.query'].value.length() > 5;}"
    }
  }
}

2 Likes

Topic		Replies	Views
KIBANA : String Length based Filter to my documents Kibana	7	5069	August 29, 2020
Getting documents based on field length Elasticsearch	5	588	March 13, 2019
Filter field by length Elasticsearch	5	6272	May 18, 2018
Using the LENGTH string function to limit search Elasticsearch	5	9341	February 7, 2020
How to filter docs by text field length? Elasticsearch	2	9536	August 31, 2020

How to Query for length with elasticsearch (KQL)

Related topics