Regexp Not Evaluating as Expected

I'm trying to drop events for which the winlog.event_data.TargetUserName ends with $ but keep the event when winlog.event_data.TargetUserName has $ not as the end character. Using the regular expressions 101 tester (https://regex101.com) the regex expression \$$ does not match Te$t but does match Test$. However when I use this expression in my winlogbeat.yml file, it drops both events instead of keeping events with winlog.event_data.TargetUserName equal to Te$t. See sample code below. Does winlogbeat not interpret the regex the same way as the tester does?

processors:
  - drop_event:
      when:
         regexp.winlog.event_data.TargetUserName: '\$$'

Your regular expression is correct so I was really confused. I added some debug to see what the raw string looks like before compiling the regex and it's \$ so it's just doing a substring match to see if it contains any $ literal.

Regex string raw: "\\$"
2020-10-13T18:09:27.981-0400	DEBUG	[conditions]	conditions/conditions.go:98	New condition regexp: map[message:<substring '$'>], map[]
2020-10-13T18:09:27.981-0400	DEBUG	[processors]	processors/processor.go:120	Generated new processors: add_tags=matches, condition=regexp: map[message:<substring '$'>], map[]

Then I remembered the config parsing does variable interpolation. https://www.elastic.co/guide/en/beats/filebeat/master/yaml-tips.html#dollar-sign-strings

So you actually need

processors:
  - drop_event:
      when:
         regexp.winlog.event_data.TargetUserName: '\$$$'

Hello here,

I'm using this to filter out Computers :

- regexp.winlog.event_data.TargetUserName: '.*\$'

Cheers

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.