Finding ip address ranges that contain a given ip address

sylvain · November 14, 2012, 6:51pm

Hi,

assuming documents that have an object type defining an ip address range,
what would be the recommended way to retrieve documents for which the ip
range(s) contain a given ip address.

mapping:
'ip_doc': {
'properties': {
'ip_range' : {
'type': 'object',
'properties': {
'from': {'type': 'ip'},
'to': {'type': 'ip'}
}
}
}
}

sample documents:
doc1 = {'ip_doc': {'ip_ranges' : {'from': '1.0.0.0', 'to': '2.255.255.255'
}}}
doc2 = {'ip_doc': {'ip_ranges' : {'from': '2.0.0.0', 'to': '2.255.255.255'
}}}
doc3 = {'ip_doc': {'ip_ranges' : {'from': '3.0.0.0', 'to': '3.255.255.255'
}}}

So for ip = '2.0.0.0', doc1 and doc2 should be retrieved.

Thanks,
Sylvain

--

Clinton_Gormley · November 14, 2012, 7:13pm

Hi Sylvain

assuming documents that have an object type defining an ip address
range, what would be the recommended way to retrieve documents for
which the ip range(s) contain a given ip address.

doc1 = {'ip_doc': {'ip_ranges' : {'from': '1.0.0.0', 'to':
'2.255.255.255'}}}
doc2 = {'ip_doc': {'ip_ranges' : {'from': '2.0.0.0', 'to':
'2.255.255.255'}}}
doc3 = {'ip_doc': {'ip_ranges' : {'from': '3.0.0.0', 'to':
'3.255.255.255'}}}

So for ip = '2.0.0.0', doc1 and doc2 should be retrieved.

This will work:
curl -XGET 'http://127.0.0.1:9200/test/ip_doc/_search?pretty=1' -d '
{
"query" : {
"constant_score" : {
"filter" : {
"and" : [
{
"range" : {
"ip_range.to" : {
"gte" : "2.0.0.0"
}
}
},
{
"range" : {
"ip_range.from" : {
"lte" : "2.0.0.0"
}
}
}
]
}
}
}
}
'

One thing - you map your field as "ip_range" then you index your docs as
"ip_ranges" (with an "s"). I'm assuming that was an error and you you
only have a single ip_range per doc. If you have multiple ip_ranges,
then you will need to change the mapping from type "object" to type
"nested" and use a nested filter instead.

clint

--

sylvain · November 15, 2012, 3:06pm

Hi Clint,

thanks for the help! We actually may have multiple ip ranges, so your tip
about using the nested type & filter is appreciated! I tried it and it
works, so thanks again.

Best regards,
Sylvain

On Wednesday, November 14, 2012 8:13:24 PM UTC+1, Clinton Gormley wrote:

Hi Sylvain

assuming documents that have an object type defining an ip address
range, what would be the recommended way to retrieve documents for
which the ip range(s) contain a given ip address.

doc1 = {'ip_doc': {'ip_ranges' : {'from': '1.0.0.0', 'to':
'2.255.255.255'}}}
doc2 = {'ip_doc': {'ip_ranges' : {'from': '2.0.0.0', 'to':
'2.255.255.255'}}}
doc3 = {'ip_doc': {'ip_ranges' : {'from': '3.0.0.0', 'to':
'3.255.255.255'}}}

So for ip = '2.0.0.0', doc1 and doc2 should be retrieved.

This will work:
curl -XGET 'http://127.0.0.1:9200/test/ip_doc/_search?pretty=1' -d '
{
"query" : {
"constant_score" : {
"filter" : {
"and" : [
{
"range" : {
"ip_range.to" : {
"gte" : "2.0.0.0"
}
}
},
{
"range" : {
"ip_range.from" : {
"lte" : "2.0.0.0"
}
}
}
]
}
}
}
}
'

One thing - you map your field as "ip_range" then you index your docs as
"ip_ranges" (with an "s"). I'm assuming that was an error and you you
only have a single ip_range per doc. If you have multiple ip_ranges,
then you will need to change the mapping from type "object" to type
"nested" and use a nested filter instead.

clint

--