Hi All,
I've been messing around with ES|QL a bit, but I'm having an issue with the CIDR_MATCH function, I'm hoping someone can help with.
At a minimum, I have a document that looks like:
{
"host": {
"name": "ip-10-0-0-1.example.com"
"ip": [
"10.0.0.1",
"127.0.0.1"
]
}
}
If I run the query:
FROM index
| WHERE host.name == "ip-10-0-0-1.example.com"
I get a response as expected.
But if I run the query
FROM index
| WHERE CIDR_MATCH(host.ip, "10.0.0.0/8")
I don't get any responses. Note that host.ip is mapped as an IP type here.
If I do something like:
FROM index
| EVAL ip = TO_STRING(host.ip)
| WHERE ip == "10.0.0.1"
I also don't get anything.
If I switch to the standard query DSL/KQL:
...
"should": [
{
"match_phrase": {
"host.ip": "10.0.0.0/8"
}
}
]
...
I get responses as expected.
Would anyone have any ideas on what could be the problem here?
I suspect it has to do with host.ip, being a multi-value field, but it's not very clear on how to proceed.
(Using 8.11.3 for entire stack)
Edit, I did find this limitation for mutlivalue fields and functions, but it doesn't mention operators which is what CIDR_MATCH is listed as.