Hi,
I have the following query.
GET /logstash-win*/_search
{
"query": {
"bool": {
"must": [
{ "regexp": { "event_data.CommandLine": ".*Hidden.*" }}
],
"filter": [
{ "range": { "@timestamp": {"from": "now-1d", "to": "now" }}}
]
}
}
}
There exists a Document in my defined time interval with a field 'event_data.CommandLine' wich includes the word 'Hidden'. The Field is from type 'text'.
There exosts also another Dodument with that field with a File Path included like 'ANY.dll'. It will be find by the following regexp.
.*dll.*"
Whats the problem here?
I am using Elasticsearch 5.4 with XPack
Thanks
David