I've a search to look for Account names ending with $ (as they are computer generated names). Below is my simple search in KQL, but it provides both type of accounts (i.e with and without $ at the end). Escaping $ brings in error
NOT (winlog.event_data.TargetUserName:*$)
How to filter fields which has similar characters?
Leading wildcards are not enabled by default in KQL, which is probably why you're seeing issues. This is part of the docs on KQL wildcards, and is controlled by a Kibana advanced setting.
You can verify that your query is executing correctly by going to Discover, typing your KQL query, and then opening the Inspect menu to see what the JSON request that we send to Elasticsearch.
As a workaround, you can build this query using the + Add filter button underneath the KQL bar.
Thought NOT a proper solution, i found below working (using a tick mark)
NOT (winlog.event_data.TargetUserName:*`$)
also thanks wylie. Will try that the workaround.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.