Removing the "$" sign from event_data.TargetUserName

(Tarek Bensoltane) #1

Dear All,

I am trying to remove the dollar sign "$" from the event_data.TargetUserName found in the windows event viewer using Winlogbeat.

I have found an answer this article in this forum:

Which shows:
{ "query": { "regexp": { "event_data.TargetUserName": "[^$]{1,64}" } } } as an answer.

But unfortunately, it did not work for me.
I am using version 6.4 of Elastic Stack.

Any help would be greatly appreciated.


(Nathan Reese) #2

What do you mean by "remove the dollar sign from the event_data.TargetUserName"?

Are you trying to find documents with or without a '$'?
Or are you trying to display the field with the '$' removed?

You could create a scripted field to remove the '$'. A better solution would be to do this at ingest and remove the '$' in a logstash filter before storing the documents in elasticsearch.

(Tarek Bensoltane) #3

Dear Nathan,
Thank you for taking the time to answer.

I meant I am "trying to display the field with the '$' removed", just as you said.

I'll try to get documented on "ingest" and try to understand what you said. :slight_smile:

Thank you.

(Peter Pisljar) #4

the user in that post was trying to remove results where $ would appear as a last character ....
it seems you still want those results, you just want to remove $ from display ?

(Tarek Bensoltane) #5

Dear Peter,

Sorry I am not good at explaining things.

let's say the "event_data.TargetUserName" shows as a result:


Here, I would like to remove "computerbeta$" and "machinebeta$" from my queries, and keep the other user names.

I hope you understand my goal? :slight_smile:

Best regards,

(Peter Pisljar) #6

where are you entering the query ? you should

  • click "add new filter"
  • click "edit query dsl in the filter popup"
  • enter your query there

(Tarek Bensoltane) #7

Dear Peter,

I do not have access to Kibana at the moment.
I will get right back to you as soon as I get access to Kibana.

Thank you for your help.

(Tarek Bensoltane) #8

Dear Peter,

I did as you said, and pasted this:

"query": {
"regexp": {
"event_data.TargetUserName": "[^$]{1,64}"

But I am still not getting the result that i need.

Best Regards.

(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.