From e146a60b7a802f1c72b5dd59789a1761624234d1 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Wed, 17 Jan 2024 17:09:47 -0500 Subject: [PATCH] Remove limitation (#4602) (cherry picked from commit fa6027e466f96118ca7f904b992439d0821729e1) --- docs/management/admin/event-filters.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc index 46bac89d91..90845a03e6 100644 --- a/docs/management/admin/event-filters.asciidoc +++ b/docs/management/admin/event-filters.asciidoc @@ -48,7 +48,7 @@ image::images/event-filter.png[] * `is not` * `is one of` * `is not one of` - * `matches`: This is only available for the `file.path.text` field, and allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + * `matches` | `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + IMPORTANT: Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.