Hi,
Hoping you guys are safe and well
I'm trying to exclude any username that has $ at the end of it using Kibnana Query Language
I've done a lot of testing with the following, but it doesn't seem to work
and not user.name: *$
Is there anyway to achieve that? I've tried to escape the $ by using /$ or `$ but that's not working as well
Thanks
Hosam,
Hey @hpicass0,
I think I'll need more information to help you.
I tried with the following dataset, and I was able to use the $ as part of a wildcard filter:
PUT /test
{
"mappings": {
"properties": {
"@timestamp":{
"type":"date"
},
"interface":{
"type":"keyword"
},
"hostname":{
"type":"keyword"
},
"metric":{
"type":"integer"
}
}
}
}
PUT /test/_doc/1
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth0",
"hostname":"hostX",
"metric":20
}
PUT /test/_doc/2
{
"@timestamp":"2020-12-13T14:55:00",
"interface":"eth0",
"hostname":"hostX",
"metric":60
}
PUT /test/_doc/3
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth0",
"hostname":"hostZ",
"metric":100
}
PUT /test/_doc/4
{
"@timestamp":"2020-12-13T14:55:00",
"interface":"eth0",
"hostname":"hostZ",
"metric":110
}
PUT /test/_doc/5
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth1",
"hostname":"hostZ",
"metric":10
}
PUT /test/_doc/6
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth1",
"hostname":"hostZ",
"metric":60
}
PUT /test/_doc/7
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth1$",
"hostname":"hostZ",
"metric":60
}
Filter: not interface : *$
Are there potentially other parts of your query that are including this document? As a test, can you write your filter to only check against user.name and no other field?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
