I'm trying to drop events for which the winlog.event_data.TargetUserName ends with
$ but keep the event when winlog.event_data.TargetUserName has
$ not as the end character. Using the regular expressions 101 tester (https://regex101.com) the regex expression
\$$ does not match Te$t but does match Test$. However when I use this expression in my winlogbeat.yml file, it drops both events instead of keeping events with winlog.event_data.TargetUserName equal to Te$t. See sample code below. Does winlogbeat not interpret the regex the same way as the tester does?
processors: - drop_event: when: regexp.winlog.event_data.TargetUserName: '\$$'