Hello,
I'm trying to create a wildcard filter that filters on paths starting with c:\git*
But:
{
"query": {
"wildcard": {
"process.working_directory": {
"value": "c:\\git\\*"
}
}
}
}
is not working. And escaping the ':', as suggested in Wildcard query with a file path - Search for c:\users\public* results in:
How should I handle this?
Grtz
Willem
I don't think the colon needs to be escaped in the query DSL value. It needs to be escaped in the linked topic because : is part of the Lucene query parser syntax which separates a target field from the search term.
When you say "is not working", does
Thanks for your answer @forloop
When I use the following in a Kibana KQL query:
process.working_directory : C:\\WINDOWS\\*
It does not work, but when I escape the colon:
process.working_directory : C\:\\WINDOWS\\*
I'm getting the expected results. But in Elastic detections I cannot work with a query and I need to exclude with a filter based on a combination of process.name and process.working_directory.
But when I use a filter with a wildcard query, I never seem to get the expected results.
All of the above does not filter on c:\WINDOWS\*
So how should I format a wildcard filter containing backslashes, so I can use it in a Kibana filter?
Willem
(autoclose-prevention)
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.