Query Help search for $

rhyse · August 7, 2016, 7:37pm

Hi

I am trying to exclude a specific field containing a "$" sign, but am having very little luck.

Basically trying to audit logon events for windows machines. (from winlogbeats 5 alpha)

My query is

event_id:(4778 OR 4801 OR 4803 OR 4624 ) AND NOT event_data.TargetUserName.raw:(.)$
event_id:(4778 OR 4801 OR 4803 OR 4624 ) AND NOT event_data.TargetUserName.raw:/(.)$/
event_id:(4778 OR 4801 OR 4803 OR 4624 ) AND NOT event_data.TargetUserName.raw:/(.$)/
event_id:(4778 OR 4801 OR 4803 OR 4624 ) AND NOT event_data.TargetUserName.raw:/(.)/$
event_id:(4778 OR 4801 OR 4803 OR 4624 ) AND NOT event_data.TargetUserName.raw:/$$/

I have tried without the .raw

field looks similar to

event_data.TargetUserName S-EXHTCAS06$

Any ideas ?

Any help is appreciated

Thanks

LeeDr · August 8, 2016, 3:56pm

Hi Rhyse,

I created some test data for this case and also had a very hard time finding (or excluding) fields that ended in "$". The problem was that although I created my index with;

"fields": {
                    "raw" : { "type" : "text", "index" : "not_analyzed" }

That "raw" field WAS still analyzed. I have to change that type from "text" to "keyword".

"fields": {
                    "raw" : { "type" : "keyword", "index" : "not_analyzed" }

Now its not analyzed and I can search for action.raw:"start\$" or action.raw:start$ in Kibana and I only get start$ and not start

And I can put NOT in front of my query and only exclude start$.

Regards,
Lee

pickypg · August 8, 2016, 4:02pm

To be clear:

"type": "text"

is equivalent to

"type": " string"

in ES 1.x and 2.x. While

"type": "keyword"

is equivalent to

"type": "string",
"index": "not_analyzed"

in ES 1.x and 2.x.

rhyse · August 9, 2016, 6:36am

Hi

Thanks, ill look into how to change that field type (I'm new to ELK). I wondering if it would have any other impact?

We loaded the mappings from the beats templates, should I be "logging" this with the developers of this beat ?

Thanks

LeeDr · August 9, 2016, 4:33pm

I think this is the template that would be used (if you ran the absolute newest version of winlogbeat). I'll pass this thread on to the Beats team to see if they see a problem.

https://github.com/elastic/beats/blob/master/winlogbeat/winlogbeat.template.json

LeeDr · August 9, 2016, 4:38pm

Hi Rhyse,

Could you please let us know what versions of Elasticsearch, Kibana, and Winlogbeat you're running?

And could you also please go to the Settings (Management) tab, select this index pattern, and find the field event_data.TargetUserName.raw and tell us if Analyzed is checked for it?

Thanks,
Lee

rhyse · August 9, 2016, 8:10pm

Hi

Elasticsearch: 2.3.5
Kibana: 4.4.2
Winlogbeat: 5 Alpha 4

I don't have the event_data.TargetUserName.raw but do have event_data.TargetUserName (its type string) and is analysed

Thanks