Using additional-fields as filters ?

[malexe3169]

Is it possible to use the additional-fields as filters ?

I've added the additional-field and it work I see in the data, but I am not able to filter with it.

[jasonish]

This should work, but due to escaping and what characters you choose it is possible I break something along the query path:

• what is your custom fields name and value (or something a close approximation in terms of character set)
• are you adding this with the agent or the server
• elasticesearch?

[malexe3169]

It is added with the agent, with the evebox-agent.yaml like this:

additional-fields:
  sensor-name: "LLLL-LLL-NN"

L = Letter
N = Number

using opensearch 2.8.0

[jasonish]

Try this in the search box:

sensor-name.keyword:"AAAA-BBB-12"

I think what Elasticsearch does is analyzes/tokenizes the value and that is what you are searching against with just sensor-name, however, this often doesn't work for exact matches which the .keyword will work for. Internally EveBox has a table of fields where the keyword variant needs to be used to hide most uses of this.

[malexe3169]

it works, thank you very much!