Excluding Character when Searching

(Adam Kaczor) #1

Hello, I am collecting logs from our domain controllers and trying to filter results by EventID and TargetUserName. I can do that no problem. What I also want to do is exclude any TargetUserName fields that end in $ (essentially excluding any computer accounts). I have not found a way to do this yet. If anyone as any suggestions on how to do this I would appreciate it. Thank you!



So you want to use a wildcard character at the start of the filter?
In this case you have to enable it in graylog’s server.conf
allow_leading_wildcard_searches = true


(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.