Elasticsearch: Search for IP addresses with CIDR notation, in query_string

Created on 26 Aug 2014 · 22Comments · Source: elastic/elasticsearch

Today we can search for ranges IP addresses in fields with a query string query like this:
ip_address:[10.0.0.0 TO 10.255.255.255]

It would be great if we could do:
ip_address:10.0.0.0/8 or ip_address:10/8.

This is mostly useful in kibana, where all queries are sent at query_string queries. I understand that ip_range aggregation currently supports this. Would be nice in a QSQ :-)

:SearcSearch >feature help wanted

Source

avleen

👍2

Most helpful comment

Can please someone tell me how to use it in Kibana? I use elasticsearch 5.6.4 and kibana 5.6.
We push netflows from a cisco asa to elasticsearch. I don't want to see the private networks. So I tried the query filter netflow.ipv4_src_addr: "172.16.0.0/16" but that doesn't work.

Edit:
I found the problem. The fields in the index were wrong. I had to reindex the index. I found the solution here: https://www.elastic.co/guide/en/elasticsearch/reference/6.0/docs-reindex.html

Before I copied the data in the new index, I edited the mappings in the template for the fields netflow.ipv4_src_addr and netflow.ipv4_dst_addr to ip:

"netflow": {
          "dynamic": true,
          "properties": {
            "ipv4_src_addr": {
              "type": "ip"
            },
            "ipv4_dst_addr": {
              "type": "ip"
            },
            "xlate_src_addr_ipv4": {
              "type": "ip"
            },
            "xlate_dst_addr_ipv4": {
              "type": "ip"
            }
          }
        }

marvinwankersteen on 10 Nov 2017

👍2

All 22 comments

+1 This would be a big help if we could search without the ranges.

td-edge on 8 Jan 2015

webmstr on 31 Jan 2015

zaakiy on 24 Feb 2015

Pytlicek on 24 Mar 2015

but
"must_not": [
{
"query_string": {
"query": "clientip:[10.44.0.0 TO 10.44.255.255]"
}
}
]
can not work well

JiounDai on 25 Mar 2015

ajmurmann on 31 Mar 2015

torrancew on 31 Mar 2015

anujsrc on 16 Apr 2015

SrikanthKS on 8 Jul 2015

xande on 22 Jul 2015

jjunqueira on 23 Jul 2015

kjelle on 19 Aug 2015

How to use this?

LxiaoGirl on 20 Aug 2015

djwmarks on 29 Aug 2015

daguy666 on 2 Sep 2015

kiwiz on 2 Sep 2015

orangey on 23 Sep 2015

german23 on 29 Sep 2015

pemontto on 7 Oct 2015

Closed via #14773

jpountz on 20 Nov 2015

Our whole life is CIDR. +infinity!

ave19 on 20 Oct 2016

❤2

Edit:
I found the problem. The fields in the index were wrong. I had to reindex the index. I found the solution here: https://www.elastic.co/guide/en/elasticsearch/reference/6.0/docs-reindex.html

Before I copied the data in the new index, I edited the mappings in the template for the fields netflow.ipv4_src_addr and netflow.ipv4_dst_addr to ip:

"netflow": {
          "dynamic": true,
          "properties": {
            "ipv4_src_addr": {
              "type": "ip"
            },
            "ipv4_dst_addr": {
              "type": "ip"
            },
            "xlate_src_addr_ipv4": {
              "type": "ip"
            },
            "xlate_dst_addr_ipv4": {
              "type": "ip"
            }
          }
        }

marvinwankersteen on 10 Nov 2017

👍2

Was this page helpful?

0 / 5 - 0 ratings