Hi there,
The Google search results I've found seem old and no longer applicable but I was wondering how you can exclude (or include) subnets from search results in Kibana.
I've tried using NOT source.ip:10.0.0.0/8 for example but I can't seem to find the right syntax.
Any help would be greatly appreciated. Thanks!
This is the correct syntax. what error did you get?
Is the source.ip field mapped as an IP?
These are the values, not the mapping.
Can you check the mapping of the field?
GET index_name/_mapping
What you have when you click in view details?
Also, are you using LUCENE or KQL in discover? And which version are you running?
As @leandrojmp indicated, NOT source.ip:10.0.0.0/8 should work if you're using KQL and the source.ip is of type IP in the index mappings.
If it's not of type IP, if it's a string, then you can either change the mapping or, if you have access to ES|QL, you can cast the string to an IP address as part of your ES|QL query:
FROM logs-network_traffic.* |
eval source.ip = to_ip(source.ip) |
WHERE CIDR_MATCH(source.ip, "192.168.0.0/16")
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.