Please help figure out the right syntax

jurz · February 5, 2019, 11:06am

Hi,

re-read search syntax post serveral times over - still unable to do what I need.

Here's the situation: Gathering logs from windows event log, have lots iwth event id 4625 and in some cases the event_data.TargetUserName is a machine (having at the end of the name, like CPU1, MACHINE2$ etc).

I want to find all records with event_id:4625, but the not the machine accounts.

Here is what I have tried (with no success) - problem seems to be escaping dollar sign.
event_id:4625 NOT event_data.TargetUserName:"" event_id:4625 -event_data.TargetUserName:"*"
event_id:4625 NOT event_data.TargetUserName:/(.)$/ (and several other options)

Anyone facing similar problem?
Thanks, J

system · March 5, 2019, 11:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filtering out event_data.TargetUserName ending in $ Elasticsearch	3	2353	December 20, 2017
Help with regexp query syntax Elasticsearch	5	1919	September 26, 2017
Kibana 8.2.0 Filter event_data.TargetUserName ending with $ (service accounts etc) Kibana	2	342	July 26, 2022
Query Help search for $ Kibana	7	1442	July 6, 2017
Elastic Query for Windows user accounts, excluding computer accounts Logs elastic-stack-machine-learning , elastic-stack-alerting	2	785	April 29, 2022

Please help figure out the right syntax

Related topics