Search For String That Doesn't End With $ In KQL

joshuasmith · October 24, 2019, 6:16pm

Hello,

I am trying to perform a Kibana KQL search on a text field for any value that doesn't end in $

For instance, when parsing Windows Event Logs for successful/unsuccessful logins, I am trying to not show computer accounts (which end with $).

I have looked at sever other questions around this same concept (Regex search where a string field ends with $) but that solution isn't working for me as I it is using lucene, not KQL.

I know that KQL supports wildcards so I was assuming it was going to be a query along the lines of:
not accountName: *$

However that hasn't worked.

While not as clean, I have also been looking for a way to search for any entries that contain a $ anywhere in them but that hasn't worked either.

Any suggestions on how to solve this problem?

Thanks!

Brandon_Kobel · October 24, 2019, 9:32pm

Hey @joshuasmith, unfortunately this isn't currently available. https://github.com/elastic/kibana/issues/46855 is tracking the addition of this feature, if you could give this issue a +1 or comment on it with your unique needs, it'll allow us to prioritize it appropriately.

joshuasmith · October 25, 2019, 12:02am

OK, thanks Brandon, I went ahead and commented on the issue.

system · November 22, 2019, 12:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana KQL: how to search for fields with special characters (eg $) Kibana kql-kibana-query-language	3	7326	July 15, 2021
Regex search where a string field ends with $ Kibana	4	14761	July 6, 2017
Matching a Dollar Sign with a Wildcard using KQL Kibana kql-kibana-query-language	2	1702	January 13, 2021
Kibana filter wildcard Elasticsearch	1	338	November 29, 2018
Kibana 8.2.0 Filter event_data.TargetUserName ending with $ (service accounts etc) Kibana	2	342	July 26, 2022

Search For String That Doesn't End With $ In KQL

Related topics