Negating Windows logons from managed service accounts ending with $

Am using Kibana 6.8.11, using Kibana query language I want to exclude Windows Service Accounts ending with a $. Ideally the following query should work !*$ but for some reason it does not. Any pointers would be highly appreciated.

Do you have to use KQL? You could instead create a DSL filter and then negate it with 'exclude results':

(on the picture I have a filter that accepts only docs where category.keyword ends with 'ies')

Let me know if it helps, otherwise I'll assist further.

Awesome, let me try that, thanks

Btw with KQL it's currently impossible. Here's the issue to track and upvote if you want to make it more popular so our devs give it more importance:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.