Majzlik
Reputation: 199
How to negate filter query in Kibana
I'm using ELK stack and I'm trying to find out how to visualize all logs except of those from specific IP ranges (for example 10.0.0.0/8). Is there any way how to negate filter query:
{"wildcard":{"src_address":"10.*"}}
I put it to Buckets -> Split Bars -> Aggregation -> Filters and I would like to negate this query so I got all logs except of those from 10.0.0.0/8
This is the whole JSON request:
{
"query": {
"filtered": {
"query": {
"query_string": {
"query": "low_level_category:\"user_authentication_failure\" AND NOT src_address:\"10.*\"",
"analyze_wildcard": true
}
},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": 1474384885044,
"lte": 1474989685044,
"format": "epoch_millis"
}
}
}
],
"must_not": []
}
}
}
},
"size": 0,
"aggs": {
"2": {
"date_histogram": {
"field": "@timestamp",
"interval": "3h",
"time_zone": "Europe/Berlin",
"min_doc_count": 200,
"extended_bounds": {
"min": 1474384885043,
"max": 1474989685043
}
},
"aggs": {
"3": {
"terms": {
"field": "src_address.raw",
"size": 5,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
Thanks
Upvotes: 11
Views: 25427
Answers (1)
Val
Reputation: 217314
You can input this in the Kibana search box and it should get you what you need:
NOT src_address:10.*
Upvotes: 25
Related Questions
- Exclude some indexes from elasticsearch query
- Kibana Wildcard "Not" Match in filter
- ElasticSearch query to exclude certain results
- Kibana KQL Visualisation Filter - Exclude one value of list field
- How to filter out (exclude) all results given by Elastic search query DSL in Kibana?
- ElasticSearch exclude result from being filtered where a condition is met
- Exclude results based on key in elasticsearch
- elasticsearch-dsl: Negate a Filter
- Using `not` filter in Elasticsearch
- elasticsearch exclude results with value