CIDR filter reports IP6 addresses as invalid

Hey guys, I'm hoping this is an issue on my end rather than an issue with the CIDR filter, but I'm seeing a lot of logstash errors in my CIDR filter relating to certain IP addresses:

[WARN ][logstash.filters.cidr    ] Invalid IP address, skipping {:address=>"%{src}", :event=>#<LogStash::Event:0x54e98d7f>}

My current code relating to that portion is:

cidr {
           address => [ "%{src}" ]
           network_path => "/etc/tables/networks"
           add_field => { "source.internal" => true }
}
mutate {convert => {"source.internal" => "boolean"}}

All the addresses that are triggering the warning are IP6 addresses such as:

2001:2:0:aab1:d94a:844b:7604:ddde
2620:12b:d000:400::1fc5

I'm showing those IP addresses as valid, is there something I'm missing?
Thanks!

This works for me.

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_field => { "src" => "2001:2:0:aab1:d94a:844b:7604:ddde" } }
    cidr { address => "%{src}" add_field => { "source.internal" => true } network => "2001:2:0::/48" }
}
output { stdout { codec => rubydebug { metadata => false } } }

Are you sure that is the value of your [src] field? Leading or trailing blanks would cause that failure.

It would have been nice if the filter logged the address after it has been sprintf'd.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.