evebox icon indicating copy to clipboard operation
evebox copied to clipboard

Published 20 hours ago verified publisher icon jasonish

Using additional-fields as filters ?

Open malexe3169 opened this issue 1 year ago • 4 comments

Is it possible to use the additional-fields as filters ?

I've added the additional-field and it work I see in the data, but I am not able to filter with it.

malexe3169 avatar Aug 14 '23 21:08 malexe3169

This should work, but due to escaping and what characters you choose it is possible I break something along the query path:

  • what is your custom fields name and value (or something a close approximation in terms of character set)
  • are you adding this with the agent or the server
  • elasticesearch?

jasonish avatar Aug 15 '23 18:08 jasonish

It is added with the agent, with the evebox-agent.yaml like this:

additional-fields:
  sensor-name: "LLLL-LLL-NN"

L = Letter N = Number

using opensearch 2.8.0

malexe3169 avatar Aug 15 '23 19:08 malexe3169

Try this in the search box:

sensor-name.keyword:"AAAA-BBB-12"

I think what Elasticsearch does is analyzes/tokenizes the value and that is what you are searching against with just sensor-name, however, this often doesn't work for exact matches which the .keyword will work for. Internally EveBox has a table of fields where the keyword variant needs to be used to hide most uses of this.

jasonish avatar Aug 15 '23 22:08 jasonish

it works, thank you very much!

malexe3169 avatar Aug 15 '23 22:08 malexe3169