Dear All,
I am trying to remove the dollar sign "$" from the event_data.TargetUserName found in the windows event viewer using Winlogbeat.
I have found an answer this article in this forum:
Which shows:
{ "query": { "regexp": { "event_data.TargetUserName": "[^$]{1,64}" } } } as an answer.
But unfortunately, it did not work for me.
I am using version 6.4 of Elastic Stack.
Any help would be greatly appreciated.
Tarek
What do you mean by "remove the dollar sign from the event_data.TargetUserName"?
Are you trying to find documents with or without a '$'?
Or are you trying to display the field with the '$' removed?
You could create a scripted field to remove the '$'. A better solution would be to do this at ingest and remove the '$' in a logstash filter before storing the documents in elasticsearch.
Dear Nathan,
Thank you for taking the time to answer.
I meant I am "trying to display the field with the '$' removed", just as you said.
I'll try to get documented on "ingest" and try to understand what you said. 
Thank you.
the user in that post was trying to remove results where $ would appear as a last character ....
it seems you still want those results, you just want to remove $ from display ?
Dear Peter,
Sorry I am not good at explaining things.
let's say the "event_data.TargetUserName" shows as a result:
johnedoe
mattdamon
jamesbon
computerbeta$
machinebeta$
Here, I would like to remove "computerbeta$" and "machinebeta$" from my queries, and keep the other user names.
I hope you understand my goal?
Best regards,
where are you entering the query ? you should
Dear Peter,
I do not have access to Kibana at the moment.
I will get right back to you as soon as I get access to Kibana.
Thank you for your help.
Dear Peter,
I did as you said, and pasted this:
{
"query": {
"regexp": {
"event_data.TargetUserName": "[^$]{1,64}"
}
}
}
But I am still not getting the result that i need.
Best Regards.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.