Hi,
Hoping you guys are safe and well
I'm trying to exclude any username that has $ at the end of it using Kibnana Query Language
I've done a lot of testing with the following, but it doesn't seem to work
and not user.name: *$
Is there anyway to achieve that? I've tried to escape the $ by using /$ or `$ but that's not working as well
Thanks
Hosam,
Hey @hpicass0,
I think I'll need more information to help you.
I tried with the following dataset, and I was able to use the $ as part of a wildcard filter:
PUT /test
{
"mappings": {
"properties": {
"@timestamp":{
"type":"date"
},
"interface":{
"type":"keyword"
},
"hostname":{
"type":"keyword"
},
"metric":{
"type":"integer"
}
}
}
}
PUT /test/_doc/1
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth0",
"hostname":"hostX",
"metric":20
}
PUT /test/_doc/2
{
"@timestamp":"2020-12-13T14:55:00",
"interface":"eth0",
"hostname":"hostX",
"metric":60
}
PUT /test/_doc/3
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth0",
"hostname":"hostZ",
"metric":100
}
PUT /test/_doc/4
{
"@timestamp":"2020-12-13T14:55:00",
"interface":"eth0",
"hostname":"hostZ",
"metric":110
}
PUT /test/_doc/5
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth1",
"hostname":"hostZ",
"metric":10
}
PUT /test/_doc/6
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth1",
"hostname":"hostZ",
"metric":60
}
PUT /test/_doc/7
{
"@timestamp":"2020-12-13T14:54:00",
"interface":"eth1$",
"hostname":"hostZ",
"metric":60
}
Filter: not interface : *$
Are there potentially other parts of your query that are including this document? As a test, can you write your filter to only check against user.name and no other field?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
