New to Kibana and need some help understanding escaping special characters. Basically what I'm trying to do is take what I know in splunk and wildcard searching substrings of eventlog fields. Below is what I tried but replaced the actual file names with example.
I ingested some events with winlogbeat and verified that I can see data by adding a filter for winlog.event_id:1 and saw only those relevant events. To practice KQL, I put process.command_line:*example* and saw that the events were narrowed down to command line with that in the string. I saw that C:\WINDOWS\system32\example.exe was part of some of the events so I changed it to process.command_line:*system32\\example* to narrow it down further and escaping the backslash, but no results.
I'm still learning the Elasticsearch. Below is a portion from the request when I inspected.
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"wildcard": {
"process.command_line": "*system32\\wsl*"
}
}
],
"minimum_should_match": 1
}
},
What am I missing?
I saw similar posts saying to add further escapes. I tried 4 backslashes but no results still. 3 backslashes returns a search error.