I'm trying to drop events for which the winlog.event_data.TargetUserName ends with $ but keep the event when winlog.event_data.TargetUserName has $ not as the end character. Using the regular expressions 101 tester (https://regex101.com) the regex expression \$$ does not match Te$t but does match Test$. However when I use this expression in my winlogbeat.yml file, it drops both events instead of keeping events with winlog.event_data.TargetUserName equal to Te$t. See sample code below. Does winlogbeat not interpret the regex the same way as the tester does?
Your regular expression is correct so I was really confused. I added some debug to see what the raw string looks like before compiling the regex and it's \$ so it's just doing a substring match to see if it contains any $ literal.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.