Help me create a search query
14 views
Skip to first unread message
Александр Коледа
Nov 4, 2025, 9:54:59 AM (15 hours ago) Nov 4
to Wazuh | Mailing List
Hello, please help me create a search query.
I have events that contain the field data.win.eventdata.objectName, and the values for these fields are D:\\UserFiles\\GeneralTables\\Folder1, D:\\UserFiles\\GeneralTables\\Folder2, D:\\UserFiles\\GeneralTables\\Folder3, and so on.
How can I create a search query to select all events containing part of the field value (D:\\UserFiles\\GeneralTables\\Folder*). Wildcards don't work in the search.
I have events that contain the field data.win.eventdata.objectName, and the values for these fields are D:\\UserFiles\\GeneralTables\\Folder1, D:\\UserFiles\\GeneralTables\\Folder2, D:\\UserFiles\\GeneralTables\\Folder3, and so on.
How can I create a search query to select all events containing part of the field value (D:\\UserFiles\\GeneralTables\\Folder*). Wildcards don't work in the search.
Manuel Pedro Gomez Castro
Nov 4, 2025, 10:42:46 AM (14 hours ago) Nov 4
to Wazuh | Mailing List
Hi!
I've run a test on my local environment and it would seem that wildcards are allowed on the search field
I've run a test on my local environment and it would seem that wildcards are allowed on the search field
In order to run the query you are attempting, you would need to escape the colon as well, so it would likely look something like
data.win.eventdata.objectName: D\:\\UserFiles\\GeneralTables\\Folder*
data.win.eventdata.objectName: D\:\\UserFiles\\GeneralTables\\Folder*
Reply all
Reply to author
Forward
0 new messages