search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
431 stars 67 forks source link

Unable to negate a phrase in the query string #275

Closed jasonish closed 1 year ago

jasonish commented 1 year ago

For example, "NOT ET INFO", or !"ET INFO", doesn't do what you might expect it to.

malexe3169 commented 1 year ago

is there a workaround, to filter out a query string?

jasonish commented 1 year ago

No, but have fix nearly done that should work with Elasticsearch and SQLite. It lets me create a query like:

dns -"et info" -"et dns"

to match all events containing dns, but exclude all those with et info or et dns. Would that work for your use cases?