search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.36k stars 1.06k forks source link

Support IP type #9570

Closed zoulja closed 3 years ago

zoulja commented 3 years ago

Elasticsearch supports field type IP https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html

PUT my_index/_doc/1
{
  "ip_addr": "192.168.1.1"
}
GET my_index/_search
{
  "query": {
    "term": {
      "ip_addr": "192.168.0.0/16"
    }
  }
}

This is useful when you need to find which subnetworks affected by some issue. Please add search filter support for this type

chalfling commented 3 years ago

I think you want this: https://github.com/Graylog2/graylog2-server/issues/8834

zoulja commented 3 years ago

I think you want this: #8834

Yes, it looks like what I want. But I'm really confused how it works. My field has pure type ip But I was not able to find anything using syntax you mentioned: remote_ip:(1.2.3.4/24) Sometimes I get

Elasticsearch exception [type=search_phase_execution_exception, reason=all shards failed].

With another IP/mask I receive

Elasticsearch exception [type=token_mgr_error, reason=token_mgr_error: Lexical error at line 1, column 23. Encountered: after : "/28)"]

chalfling commented 3 years ago

I think you want this: #8834

Yes, it looks like what I want. But I'm really confused how it works. My field has pure type ip But I was not able to find anything using syntax you mentioned: remote_ip:(1.2.3.4/24) Sometimes I get

Elasticsearch exception [type=search_phase_execution_exception, reason=all shards failed].

With another IP/mask I receive

Elasticsearch exception [type=token_mgr_error, reason=token_mgr_error: Lexical error at line 1, column 23. Encountered: after : "/28)"]

Hello!

Try search like this: remote_ip:(1.2.3.4\/24) OR remote_ip:("1.2.3.4/24")

You'll need to escape with a backslash. or put with double quote

zoulja commented 3 years ago

Great, escaping helped, thanks a lot! Submitted cross issue to reflect it in the docs

chalfling commented 3 years ago

Great, escaping helped, thanks a lot! Submitted cross issue to reflect it in the docs

I think this was in the docs: https://docs.graylog.org/en/latest/pages/searching/query_language.html?highlight=search#escaping

dennisoelkers commented 3 years ago

@zoulja, I guess this is not an actual issue, so we can close it?

zoulja commented 3 years ago

@dennisoelkers, yes, let's close it, as it's more documentation issue to me, I didn't know this type already supported

dennisoelkers commented 3 years ago

Thanks @zoulja!