Cannot query ip address fields using elastic SQL

fporrata · September 17, 2020, 8:37pm

I am using the Kibana console to run a SQL query with an ip field as criteria. Here is the query:

POST /_sql?format=json 
 {
  "query": """SELECT "@timestamp", "destination.ip" FROM "dummyindex"  WHERE "destination.ip" IN ('127.01.01.01', '128.01.01.01') and "@timestamp" > '2020-09-16' """
}

This is the error:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "verification_exception",
        "reason" : "Found 1 problem\nline 1:63: 1st argument of [\"destination.ip\" IN ('127.01.01.01', '128.01.01.01')] must be [ip], found value ['127.01.01.01'] type [keyword]"
      }
    ],
    "type" : "verification_exception",
    "reason" : "Found 1 problem\nline 1:63: 1st argument of [\"destination.ip\" IN ('127.01.01.01', '128.01.01.01')] must be [ip], found value ['127.01.01.01'] type [keyword]"
  },
  "status" : 400
}

Is there a special syntax to query ip fields using SQL?

highlandspring · September 17, 2020, 8:51pm

Is this error not saying the IP is not whitelisted?

fporrata · September 17, 2020, 9:03pm

No, it is looking at the field as a keyword instead of an ip data type and the query does not run

TomonoriSoejima · September 24, 2020, 2:00am

Yeah looks that way and I just ran into the same problem.

TomonoriSoejima · September 24, 2020, 2:14am

I borrowed the idea from https://github.com/elastic/elasticsearch/pull/34758/files/7b43b24fa1dc3c6e9e2f843281cd6c9aa76b8cf9#diff-f9d17e274b4800d6b8f0fa433d1bce17R83 and it is now working for me in this form.

POST _sql
{
  "query":"select count(clientip) from  kibana_sample_data_logs where clientip BETWEEN '129.40.10.1' AND '130.49.143.213'"
}

fporrata · September 24, 2020, 2:33am

Thank you for your answer. THe issue seems to be with the IN clause. The BETWEEN clause works fine. If you try your query like this:

select count(clientip) from  kibana_sample_data_logs where clientip IN ( '129.40.10.1' , '130.49.143.213')

I bet you are going to get the same error. This seems to be a bug in elastic's implementation of SQL using ip addresses.

bogdan.pintea · October 5, 2020, 11:56am

This might be improved, to have the values in the IN set converted to the type of the attribute, but you could also achieve that already by converting them explicitly: ...where clientip IN ( '129.40.10.1'::IP , '130.49.143.213'::ip)

fporrata · October 5, 2020, 2:10pm

Thank you very much. That worked.

system · November 2, 2020, 2:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash ip data type Logstash	2	1025	May 12, 2020
POST SQL query using Python requests - not working Elasticsearch elastic-stack-sql	2	2725	July 12, 2019
Question About search in Kibana Kibana	2	280	November 26, 2020
Getting error while fetching Array field using elasticsearch-sql-cli Elasticsearch elastic-stack-sql	3	1367	February 12, 2021
Unable to search all fields for IP address Kibana	3	605	December 14, 2019

Cannot query ip address fields using elastic SQL

Related topics