I am trying to write an ES|QL query that filters out client.address based with a WHERE clause, using wildcards to get rid of internal IP ranges. We are currently using the client.address field as a keyword, and trying to form the query I have used: WHERE client.address != "X.X.*" WHERE client.address NOT IN ("X.X.*") WHERE client.address NOT IN ("X.X.X.X/X") WHERE client.address != "X.X.X.X/X"
None of the options seem to be working to reduce the internal IP address findings. From the documentation, keywords allow wildcard, so it should be working, but we also included the CIDR, even though it technically is not an IPADDR field.
Hi @RainTown -- That would be great because I already have a query that works with a regex, but I am trying to do this in ES|QL, which is completely different from the Query DSL language. There is no RLIKE or regex commands I can use, unless you are aware of something that I have not found in documentation available.
I didn't mention it either, sorry about that -- We're currently on 8.16 and after checking out what I was sent, I found I was on the totally incorrect version of documentation.
I appreciate the responses here, maybe my face was just too close to the screen to see the options available. I will take a look at RLIKE, CIDR_MATCH, and the EVAL and see if I can get a working query.
Thanks for the suggestion @RainTown -- I ended up using WHERE NOT CIDR_MATCH(client.ip, "X.X.X.X/X") and that seems to have worked to filter out the results. Curiously enough, I used the WHERE NOT on IPv6 and it filtered it to only include IPv6, I had to change it to WHERE CIDR_MATCH(client.ip, "::/48") and that worked for me.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
