How to convert ip long to string, to get ip subnets aggs

Elastic Stack Elasticsearch
1

there is a field named ip, which mapped to ip type, now i want to aggs as /24 subnets, i use script "doc['ip'].value & 0xffffff00" to get long value of ip, how to next to convert it to ip string???

{
  "_source": [
    "host",
    "ip"
  ],
  "aggs": {
    "ip_subnet": {
      "terms": {
        "script": "doc['ip'].value & 0xffffff00"
      }
    }
  },
  "size": 0
}

I didn't found any result from elastic website, I wonder know if there is another way to receive the subnets aggs?

I also tried doc['ipstr'].value.split('.')[0..2].join('.') but also not work.

Thank you very much, and forgive my pool english :wink:

2

anybody help?

3

Why would you want to change it to a string? You should be able to do bucket aggregations on ip type.

4

thank u for reply.

I want to group by ip's subnet, not just ip. and ip range it's not suite cause i don't know the range, just wanna group by all subnet.

5

But you can group by subnet, as defined in the document I linked previously. Note the CIDR netmask/subnet filter in this example:

IP ranges can also be defined as CIDR masks:

{
    "aggs" : {
        "ip_ranges" : {
            "ip_range" : {
                "field" : "ip",
                "ranges" : [
                    { "mask" : "10.0.0.0/25" },
                    { "mask" : "10.0.0.127/25" }
                ]
            }
        }
    }
}

Response:

{
    "aggregations": {
        "ip_ranges": {
            "buckets": [
                {
                    "key": "10.0.0.0/25",
                    "from": 1.6777216E+8,
                    "from_as_string": "10.0.0.0",
                    "to": 167772287,
                    "to_as_string": "10.0.0.127",
                    "doc_count": 127
                },
                {
                    "key": "10.0.0.127/25",
                    "from": 1.6777216E+8,
                    "from_as_string": "10.0.0.0",
                    "to": 167772287,
                    "to_as_string": "10.0.0.127",
                    "doc_count": 127
                }
            ]
        }
    }
}
6

i mean i don't know which subnet it has, these could be any ip range...

7

I'm not sure in that case, but I don't think there's anything built-in that will do that for you (at least not one that's accessible). You might find something and script it out, as there are converters back and forth on that count.

8

Tks :0
I found a blog here : http://chenlinux.com/2014/11/27/elasticsearch-scripts-aggregations/
He did what i want, I tried but not work...