Seems I spend more time troubleshooting regexs instead of investigating events....for all the money spent on the tool its pretty primitive and time consuming to narrow the data down to what you want.
I figured simple things like ip.dst != 10.0.0.0/8 would simply work....or src.org !='org name" would work....
How about a better regex guide....I really dont have the time to figure out what works and what doesn't....
Scott,
Irimi,
I've found a workaround for you. If you click the "Custom Drill" button on the toolbar, you can enter your query like this:
filename regex '([0-9a-zA-Z]{20,})'
And it will submit the query correctly without modifying the parens. I've also fixed Investigator 9.8 so that it will not modify the regex. Look for the fix in a future service pack.
Scott