NOT filter using a wildcard

Hello,

I am unable to get what should be a simple filter in place to work. I have been researching the wildcard element in elasticsearch and grasp the concept when running a query. What I am unable to get working is a basic filter to exclude certain dns queries in our logs. See the basic logic below:

NOT query *.google.com

Keep in mind, query in this sense is a field name as part of a dns request.

Can someone please help?

Hi there, please take a look at this thread in which another user asked a similar question. The solution is to use the "Edit Query DSL" option to handcraft a wildcard query.

Hope this helps,
CJ

Thank you for the reply, however this is not working. Please see query and screenshot:

{
"query": {
"match": {
"query.keyword": {
"query": "*98a911aa.cnr.io",
"type": "phrase",
"analyze_wildcard": true
}
}
}
}

Error I am receiving: Visualize: [parsing_exception] [match_phrase] query does not support [analyze_wildcard], with { line=1 & col=709 }

I followed that document to a T, created a query then went to edit DSL. Any suggestions?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.