Count Unique IP ranges from IP's


(WillyWonka) #1

Hi guys,

I want to create a Visualization that shows the total amount of different IP ranges.

Currently i have a Visualization that counts ALL unique IP addresses from servers that connect with our server. However this results in a count of lots unique IP's (/32) like:
1.1.1.1
1.1.1.2
1.1.1.3

= 3 unique values

instead of

1.1.1.0/24

= 1 unique value

Is there a way to Count these /24 ranges?


(Matt Bargar) #2

The IP range aggregation would be one option, but you would have to define your ranges up front. If that's not doable you might be able write a scripted field that returns the /24 ranges that you want. I haven't played with IP fields in Painless recently so I'm not 100% sure if that will work or not off the top of my head. You could also create an additional field at index time with the data you want so that you can do a simple terms agg on it.


(WillyWonka) #3

Thanks. Aggregation and defining ranges isn't an option. That would be a LOT of work :P.
I tried the scripted fields but the type field doesn't support IP types it seems.
It does support String values, but then i get:

"type": "circuit_breaking_exception",
"reason": "[script] Too many dynamic script compilations within, max: [75/5m]; please use indexed, or scripts with parameters instead; this limit can be changed by the [script.max_compilations_rate] setting",

Because it has to store all the values with a regex.

I'm using this:

def m = //^(\d+.\d+.\d+.).matcher(doc['ClientIPAddress.keyword'].value);if ( m.matches() ) {return m.group(1)
} else {
return "no match"
}

So ip's with 192.125.12.12 will be saved as 192.125.12.
Basically removing the last part. Then filtering unique values would tell us the actual IP blocks /24 ranges. We also have an indexed IP field, however scripted fields doesn't show the IP type field as an option.

Capture


(WillyWonka) #4

SOLUTION:
We added a scripted field to basically remove the last block of an IP.
When filtering on this value we get the count of unique IP Ranges with /24

Looks like this:

def net = doc['<PLACE YOUR IP FIELD HERE>'].value; if (net != null) { int dotpos = net.lastIndexOf('.'); if (dotpos &gt; 0) { return net.substring(0,dotpos); } } return "";