Closed shoenix closed 1 year ago
The following should work:
alert.severity:1 "NOT DNS"
Yeah, its not documented well as its in a bit of a state of change. What happens above is:
alert.severity:1
is parsed by EveBox which then composes it into a term query for Elastic, or a field match in SQL. Optionally it may remap the field as needed (Elastic ECS)."NOT DNS"
is passed to the underlying databases full text query language, in your case Elastic. Some escaping I added broke your negation, however NOT
should still work. I think I still need to escape -
just when its not at the beginning of a word.Fixed in main branch. Release shouldn't be too far away.
You have been busy, so thank you for your quick replies and solution! I had tried many combinations, but I made a typo and tried "not DNS" instead of "NOT DNS" I see in my history :) In any way, your suggestion works until the fixed version is released, so I'm happy. Thanks for your great work!
I updated from 0.16 to 0.17.1 and the filter functionality seems to have changed. In 0.16 I could use 'alert.severity:1 -DNS' but the negation of DNS seems to get lost so this now shows all severity 1 DNS events except all severity 1 events excluding DNS events.
I have found no way to use a negated filter pattern (!, NOT, etc.) which greatly clutters the screen.
Also, documentation seems to be lacking for the filter syntax. Older posts I found tell that this filter is passed as query_string to ES, but this does no longer seem the case.
Could we please get some clarity on the syntax ? And can the negation option for filters be brought back ?