Problems with lucene phrase matching for nested objects

Elastic Stack Kibana
1

Hi,

I'm running ELK 6.2.2 with winlogbeat and collect sysmon logs.

When I'm trying to run a search query against event_data.CommandLine that looks like following:
event_data.CommandLine:"Get\-Variable"

I get no matches.

If I run:
message:"Get\-Variable"

it successfully returns records which contain mentioned cmdlet in the entire message field.

Also, I can find what I look for using: event_data.CommandLine:*Get\-Variable*

As I understood from the available docs, the event_data.* fields are computed by elastic on the fly and therefore unsearchable using phrase matching. Is there a way to make them searchable?

Now, I consider mapping in logstash from event_data.X => X for selected fields.

Thanks for help!

2

This looks like the event_data.CommandLine field is not analyzed, which won't let you search for parts of the string without wildcards. And the message field is usually analyzed and this is why you get answers for that. So you could change the template for your index and make the event_data.CommandLine field from keyword to text, which will run the analyzer on it from now on.
In 6.3.0 the template looks like this:

          {
            "event_data": {
              "path_match": "event_data.*",
              "mapping": {
                "type": "keyword"
              },
              "match_mapping_type": "string"
            }

so you can either make all of them as type: "string" which will analyze all the fields or you can split that with a match/unmatch filter: https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-templates.html

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.