Excluding Character when Searching


(Adam Kaczor) #1

Hello, I am collecting logs from our domain controllers and trying to filter results by EventID and TargetUserName. I can do that no problem. What I also want to do is exclude any TargetUserName fields that end in $ (essentially excluding any computer accounts). I have not found a way to do this yet. If anyone as any suggestions on how to do this I would appreciate it. Thank you!


#2

So you want to use a wildcard character at the start of the filter?
In this case you have to enable it in graylog’s server.conf
allow_leading_wildcard_searches = true