search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.67k stars 8.23k forks source link

User cannot save a filter with ip with CIDR notation value #50520

Open bhavyarm opened 5 years ago

bhavyarm commented 5 years ago

Kibana version: 7.5.0 BC4 same bug in other locations

Elasticsearch version: 7.5.0 BC4 same bug in other locations

Server OS version: darwin_x86_64

Browser version: chrome latest

Browser OS version: OS X

Original install method (e.g. download page, yum, from source, etc.): from staging

Describe the bug: User cannot save a filter if she tries to use ip value with CIDR notation value.

Steps to reproduce:

  1. Ingest documents into ES with the following mapping and create index pattern in Kibana 
    PUT ip_addr
{
"mappings": {
"properties": {
 "ip_addr": {
   "type": "ip"
 }
}
}
}
    
PUT ip_addr/_doc/1
{
"ip_addr": "196.168.1.1"
}

PUT ip_addr/_doc/2 { "ip_addr": "196.168.2.1" }


Check to make sure this search works:

GET ip_addr/_search { "query": { "term": { "ip_addr": "196.168.0.0/16" } } }


2. Create index pattern in Kibana, go to discover ensure that documents are showing up and search works on ip_addr

3. Create a filter and pick ip_addr and try to give the value of **196.168.0.0/16**
4. You cannot save the filter
5. Give the IP value without CIDR notation and then edit the query DSL in the filter and input **196.168.0.0/16**
6. Kibana saves the filter

**Screenshots (if relevant):**

<img width="1440" alt="cantsave" src="https://user-images.githubusercontent.com/7074629/68800684-91098480-0628-11ea-8e96-dabf0c735eb4.png">

<img width="1440" alt="save_edit_query_dsl" src="https://user-images.githubusercontent.com/7074629/68800726-a54d8180-0628-11ea-9f0d-695863695861.png">
elasticmachine commented 5 years ago

Pinging @elastic/kibana-app (Team:KibanaApp)

elasticmachine commented 4 years ago

Pinging @elastic/kibana-app-arch (Team:AppArch)

jamesharr commented 4 years ago

This is a limitation/frustration I'm having with the user-interface as well. I'm running 7.9.0, but this has been around for a while.

image

I find myself throwing junk values into the UI-based filter, saving, then going in and editing the DSL to be what I actually want and it works.

Additionally, IPv6 addresses are not recognized. Same thing - you can toss in junk IPv4 values to get a DSL structure, then edit IPv6 in place.

image

It's worth noting that I've verified from my side that Kibana sees the data type as ip and that server-side data-type is ip as well. If you're targeting any sort of network use-cases, having CIDR-based searches is kind of an expectation.

jgregmac commented 3 years ago

I, too, would like to see this issue addressed.

Our Security Operations team makes use of the filtering UI in Kibana, and have been frustrated that they cannot do a CIDR search without dropping back to Lucene/KQL. It confuses them, especially since all of the training they took on Kibana emphasized the use of the filtering UI.

This seems like a simple fix that will net significant productivity gains for people using the Elastic Stack for SIEM and network operations use cases.

-Greg Mackinnon Yale University

toddferg commented 3 years ago

Work around Gif added: iprangetest

cstegm commented 2 years ago

This is still an issue, while toddfergs workaround works very well....

elasticmachine commented 2 years ago

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

elasticmachine commented 1 month ago

Pinging @elastic/kibana-visualizations (Team:Visualizations)

ghudgins commented 1 week ago

linking a solution in the controls project https://github.com/elastic/kibana/issues/184900