Negating Windows logons from managed service accounts ending with $

0nullbytes · November 5, 2020, 1:57pm

Am using Kibana 6.8.11, using Kibana query language I want to exclude Windows Service Accounts ending with a $. Ideally the following query should work !data.win.eventdata.targetUserName:*$ but for some reason it does not. Any pointers would be highly appreciated.

Marta_Bondyra · November 5, 2020, 2:07pm

Do you have to use KQL? You could instead create a DSL filter and then negate it with 'exclude results':

(on the picture I have a filter that accepts only docs where category.keyword ends with 'ies')

Let me know if it helps, otherwise I'll assist further.

0nullbytes · November 5, 2020, 2:09pm

Awesome, let me try that, thanks

Marta_Bondyra · November 5, 2020, 2:11pm

Btw with KQL it's currently impossible. Here's the issue to track and upvote if you want to make it more popular so our devs give it more importance: https://github.com/elastic/kibana/issues/46855

Topic		Replies	Views
Filtering out "managed service accounts" Kibana	3	656	July 8, 2020
Kibana 8.2.0 Filter event_data.TargetUserName ending with $ (service accounts etc) Kibana	2	440	July 26, 2022
Search For String That Doesn't End With $ In KQL Kibana kql-kibana-query-language	3	2732	November 22, 2019
Kibana KQL: how to search for fields with special characters (eg $) Kibana kql-kibana-query-language	3	8438	July 15, 2021
Filtering out event_data.TargetUserName ending in $ Elasticsearch	3	2442	December 20, 2017

Negating Windows logons from managed service accounts ending with $

Related topics