From 8d31938756f007fe1ae24056c505de04132fe9ad Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 17 Jan 2024 17:31:14 -0500 Subject: [PATCH] Remove limitation (#4602) (#4624) (cherry picked from commit fa6027e466f96118ca7f904b992439d0821729e1) Co-authored-by: Joe Peeples --- docs/management/admin/event-filters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 46bac89d91..90845a03e6 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -48,7 +48,7 @@ image::images/event-filter.png[] * `is not` * `is one of` * `is not one of` - * `matches`: This is only available for the `file.path.text` field, and allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + * `matches` | `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + IMPORTANT: Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.