Aggregation on IP arrays

blueren · July 10, 2024, 8:14am

I have an index with a handful of docs. These docs contain an array "subnets" who's individual elements of of type IP. They contain individual IPs as well as subnets.

Eg>

{
 ....,
 ....,
 subnets: ["192.168.0.0/24", "224.0.0.0"]
 ....

I'm looking to run something similar to terms aggregation, where in my output contains a concatinated array of all the subnets that the query returns.

The below does not work because we can't run terms aggs on IP field. Is there any alertnative?

GET networks/_search
{
  "query": {
    "query_string": {
      "query": "networkType: (org or Default)"
    }
  },
  "_source": [
    "subnets"
  ],
  "aggs": {
    "subnets": {
      "terms": {
        "field": "subnets"
      }
    }
  }
}

Error:

root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "Field [subnets] of type [ip_range] is not supported for aggregation [terms]"
      }

Alex_Salgado-Elastic · July 11, 2024, 9:12pm

Could you try it?

GET /networks/_search
{
  "query": {
    "query_string": {
      "query": "(org) OR (Default)",
      "default_field": "networkType"
    }
  },
  "_source": [
    "subnets"
  ],
  "aggs": {
    "unique_subnets": {
      "terms": {
        "field": "subnets",
        "size": 100
      }
    }
  }
}

blueren · July 12, 2024, 6:22am

Alex_Salgado-Elastic:

GET /networks/_search
{
  "query": {
    "query_string": {
      "query": "(org) OR (Default)",
      "default_field": "networkType"
    }
  },
  "_source": [
    "subnets"
  ],
  "aggs": {
    "unique_subnets": {
      "terms": {
        "field": "subnets",
        "size": 100
      }
    }
  }
}

Thanks. But this won't work.

"root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "Field [subnets] of type [ip_range] is not supported for aggregation [terms]"
      }

My "subnets" mapping is :

        "subnets": {
          "type": "ip_range"
        }