Hello all,
I have this regex which is working for most names but throws an error for some.
It seems my use of escape charaters is wrong.
[client][user][name] =~ /staff\\.*/ or [client][user][name] =~ /students\\.*/
The error is below. (I've changed the surname)
[2020-03-19T17:49:54,758][WARN ][logstash.filters.elasticsearch][filebeat-firewall] Failed to query elasticsearch for previous event {:index=>"winlogbeat-*", :error=>"Unrecognized character escape 's' (code 115)\n at [Source: (byte[])\"{\n \"size\": 1,\n \"query\" : {\n \"bool\":{\n\"must\" : [\n{\n\"range\": {\n\"@timestamp\": {\n\"gte\": \"now-2h\",\n \"lte\": \"now/d\"\n}\n}\n},\n{\n \"term\" : {\n\"winlog.event_data.FullyQualifiedSubjectUserName\": \"staff\\shaneed.smith\"\n }\n }\n]\n}\n},\n\"[truncated 53 bytes]; line: 16, column: 83]"}
Here is the query used by logstash.
{
"size": 1,
"query" : {
"bool":{
"must" : [
{
"range": {
"@timestamp": {
"gte": "now-2h",
"lte": "now/d"
}
}
},
{
"term" : {
"winlog.event_data.ClientIPAddress": "%{[client][ip]}"
}
}
]
}
},
"_source": ["winlog.event_data.SubjectUserName"]
}
Any help would be greatly appreciated.
James