ES|QL CIDR_MATCH not working (or more likely I'm doing something wrong)?

Hi All,

I've been messing around with ES|QL a bit, but I'm having an issue with the CIDR_MATCH function, I'm hoping someone can help with.

At a minimum, I have a document that looks like:

  "host": {
    "name": ""
    "ip": [

If I run the query:

FROM index
| WHERE == ""

I get a response as expected.

But if I run the query

FROM index
| WHERE CIDR_MATCH(host.ip, "")

I don't get any responses. Note that host.ip is mapped as an IP type here.

If I do something like:

FROM index
| EVAL ip = TO_STRING(host.ip)
| WHERE ip == ""

I also don't get anything.

If I switch to the standard query DSL/KQL:

"should": [
  "match_phrase": {
    "host.ip": ""

I get responses as expected.

Would anyone have any ideas on what could be the problem here?

I suspect it has to do with host.ip, being a multi-value field, but it's not very clear on how to proceed.

(Using 8.11.3 for entire stack)

Edit, I did find this limitation for mutlivalue fields and functions, but it doesn't mention operators which is what CIDR_MATCH is listed as.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Hej Ben,

You need to use MV_EXPAND since it is a multi-value field.

Perhaps upgrade to 8.12 if possible.

So try:

from index
| mv_expand host_ip
| WHERE CIDR_MATCH(host.ip, "")
| KEEP host.ip, @timestamp
| limit 100