Removing the "$" sign from event_data.TargetUserName

Tarek_Bensoltane · September 5, 2018, 3:15pm

Dear All,

I am trying to remove the dollar sign "$" from the event_data.TargetUserName found in the windows event viewer using Winlogbeat.

I have found an answer this article in this forum:

Which shows:
{ "query": { "regexp": { "event_data.TargetUserName": "[^$]{1,64}" } } } as an answer.

But unfortunately, it did not work for me.
I am using version 6.4 of Elastic Stack.

Any help would be greatly appreciated.

Tarek

Nathan_Reese · September 5, 2018, 4:17pm

What do you mean by "remove the dollar sign from the event_data.TargetUserName"?

Are you trying to find documents with or without a '$'?
Or are you trying to display the field with the '$' removed?

You could create a scripted field to remove the '$'. A better solution would be to do this at ingest and remove the '$' in a logstash filter before storing the documents in elasticsearch.

Tarek_Bensoltane · September 6, 2018, 8:49am

Dear Nathan,
Thank you for taking the time to answer.

I meant I am "trying to display the field with the '$' removed", just as you said.

I'll try to get documented on "ingest" and try to understand what you said.

Thank you.

ppisljar · September 6, 2018, 8:54am

the user in that post was trying to remove results where $ would appear as a last character ....
it seems you still want those results, you just want to remove $ from display ?

Tarek_Bensoltane · September 6, 2018, 9:01am

Dear Peter,

Sorry I am not good at explaining things.

let's say the "event_data.TargetUserName" shows as a result:

johnedoe
mattdamon
jamesbon
computerbeta$
machinebeta$

Here, I would like to remove "computerbeta$" and "machinebeta$" from my queries, and keep the other user names.

I hope you understand my goal?

Best regards,

ppisljar · September 6, 2018, 9:33am

where are you entering the query ? you should

click "add new filter"
click "edit query dsl in the filter popup"
enter your query there

Tarek_Bensoltane · September 6, 2018, 9:44am

Dear Peter,

I do not have access to Kibana at the moment.
I will get right back to you as soon as I get access to Kibana.

Thank you for your help.

Tarek_Bensoltane · September 12, 2018, 10:04am

Dear Peter,

I did as you said, and pasted this:

{
"query": {
"regexp": {
"event_data.TargetUserName": "[^$]{1,64}"
}
}
}

But I am still not getting the result that i need.

Best Regards.

system · October 10, 2018, 10:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.