Hi,
Looking to query a field such as process.args:"atbroker.exe"
but would only want a hit if there is more in process.args than just atbroker.exe
Is this possible?
Thanks
Phil
What type data is this?
Try process.args: *atbroker.exe* to see if it works. But it depends on your data mapping and structure.
Assuming that process.args is an array of strings, then KQL cannot support this query. You can write this using the script query with painless. Something like this would be your script:
doc['args'].size() > 0 && (
!doc['args'].contains('/path/to/executable') ||
(
doc['args'].size() > 1 && doc['args'].contains('/path/to/executable')
)
)
You can use this as an AND in the query DSL from Kibana.
Hi,
Thanks for the help, it sparked an idea which lead to the below.
I have gotten around the issue by using ruby in logstash to count the arrays, i noticed that since ECS 1.3 process.args_count looks to be for what i need, as of winlogbeat 7.9.2 it is not implemented yet.
"event.set('[process][args_count]', event.get('[process][args]').length)"
Thanks
Phil
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.