dennisoelkers
commented
4 years ago Thanks for your feedback, @chalfling!
You should be able to do this, when you are defining the field you are querying to be of type ip.
Open chalfling opened 4 years ago
dennisoelkers
commented
4 years ago Thanks for your feedback, @chalfling!
You should be able to do this, when you are defining the field you are querying to be of type ip.
chalfling
commented
4 years ago @dennisoelkers Thank you for your reply!
I'll test that right now.
If someone need to search without field type I write a regex: /(172.<16-31>.[0-9]+.)|(10.[0-9]+.)|(192.168.[0-9]+.*)/
Thank you!
chalfling
commented
4 years ago Hi @dennisoelkers !
I updated my field mapping to ip type, but now I can't "Show top values" anymore =/
query:> srcip:(172.16.0.0\/12) now works.
ip type "Show top values" issue:
Thank you!
dennisoelkers
commented
4 years ago After updating your field type, you now have some indices (from before the change) that index the field as string, some (from after the change) indexing it as ip. This is why it shows up as compound field and prevents you from performing aggregations on it. What you can do now is either reduce your time range to include only indices containing the field as ip, or remove the indices from before the change (if you can do so).
chalfling
commented
4 years ago After updating your field type, you now have some indices (from before the change) that index the field as
string, some (from after the change) indexing it asip. This is why it shows up ascompoundfield and prevents you from performing aggregations on it. What you can do now is either reduce your time range to include only indices containing the field asip, or remove the indices from before the change (if you can do so).
Hello @dennisoelkers, thank you for your reply.
I can't remove indices. From the change up to today I have more 4 new indices. My time range is "last 5 minutes". I also restarted my cluster(elasticsearch+graylog+mongodb)
Same problem compound(ip,string)
There is another way?
Thank you!
dennisoelkers
commented
4 years ago Probably not. The problem will solve itself once the indices where the field is a string will not be used anymore, as they turn too old.
chalfling
commented
4 years ago I'll wait.
Thank you.
What?
Today to search CIDR subnet 10.0.0.0/8 I need to do 10.* in query search. This was simple, but others subnet it is so much more complicated.
Why?
If I want to query RFC1918 what I need to do? (10. OR 192.168. OR 172.16. OR 172.17. OR 172.18. OR 172.19. OR 172.20. OR 172.21. OR 172.22. OR 172.23. OR 172.24. OR 172.25. OR 172.26. OR 172.27. OR 172.28. OR 172.29. OR 172.30. OR 172.31.)
With CIDR search what I need to do? (10.0.0.0/8 OR 192.168.0.0/16 OR 172.16.0.0/12)
Your Environment