Versions : OpenSearch 2.9.0/Dashboard 2.9.0/Ubuntu(Docker)/Chrome and Safari
Describe the issue:
Actually, I’m trying to create an alert that will be triggered by data from message field, but I faced with an issue that I cant filtered needed documents from index via query:
in my case I want to return values like:
[Classification: Attempted Information Leak] [Priority: 2] {icmp} 10.1.205.101->208.67.222.222
and also I want only see the situations when such happened only inside our internal network not outside, e.g. :
[Classification: Attempted Information Leak] [Priority: 2] {icmp} 10.1.205.101->10.1.200.200
So in my head, I planned to filter values by query like:
"match_phrase": {
"message": {
"query": "->10.*"
This is only part of the message that points to that action happened inside the internal network, BUT that DSL or Lucene syntax doesn’t allow me to create query with character “>”
I tried the options:
message: "\\>10.*"
and regexp option:
"query": {
"regexp": {
"message": {
"value": ">10.*",
but nothing works.
Does anybody know if is it possible to filter exactly the characters I want?