Filter functionality changed in 0.17.1, no negation possible

[shoenix]

I updated from 0.16 to 0.17.1 and the filter functionality seems to have changed. In 0.16 I could use 'alert.severity:1 -DNS' but the negation of DNS seems to get lost so this now shows all severity 1 DNS events except all severity 1 events excluding DNS events.

I have found no way to use a negated filter pattern (!, NOT, etc.) which greatly clutters the screen.

Also, documentation seems to be lacking for the filter syntax. Older posts I found tell that this filter is passed as query_string to ES, but this does no longer seem the case.

Could we please get some clarity on the syntax ? And can the negation option for filters be brought back ?

[jasonish]

The following should work:

alert.severity:1 "NOT DNS"

Yeah, its not documented well as its in a bit of a state of change. What happens above is:

• alert.severity:1 is parsed by EveBox which then composes it into a term query for Elastic, or a field match in SQL. Optionally it may remap the field as needed (Elastic ECS).
• The quoted string of "NOT DNS" is passed to the underlying databases full text query language, in your case Elastic. Some escaping I added broke your negation, however NOT should still work. I think I still need to escape - just when its not at the beginning of a word.

[jasonish]

Fixed in main branch. Release shouldn't be too far away.

[shoenix]

You have been busy, so thank you for your quick replies and solution! I had tried many combinations, but I made a typo and tried "not DNS" instead of "NOT DNS" I see in my history :) In any way, your suggestion works until the fixed version is released, so I'm happy. Thanks for your great work!