How to fetch only Public or Private IP in ES?

GET logstash-ramesh-2020.09.16/_search
{
   "query": {
  "bool": {
      "must_not": [
         {
             "regexp": {
                "src_ip.raw": {
                   "value": "^(?:10|127|172\\.(?:1[6-9]|2[0-9]|3[01])|192\\.168)\\..*"
                }
             }
         }
      ]
  }
   },
   "_source": [
  "src_ip"
   ]
}

How to fetch only Public or Private IP?

Thanks in Advance !

Queries on "ip_range" type (missing documentation) has some good pointers on that.

Thanks for your quick response.

But I need to filter only public IP
eg.,

GET logstash-ramesh-2020.09.16/_search
{
   "query": {
      "bool": {
          "must_not": [
             {
                 "regexp": {
                    "src_ip.raw": {
                       "value": "^(?:10|127|172\\.(?:1[6-9]|2[0-9]|3[01])|192\\.168)\\..*"
                    }
                 }
             }
          ]
      }
   },
   "_source": [
      "src_ip"
   ]
}

You can also try to use the ip data type, if your queries can be expressed using CIDR

DELETE my-index

PUT my-index
{
  "mappings": {
    "properties": {
      "ip_addr": {
        "type": "ip"
      }
    }
  }
}

PUT my-index/_bulk?refresh
{"index":{}}
{"ip_addr":"192.168.1.1"}
{"index":{}}
{"ip_addr":"1.1.1.1"}
{"index":{}}
{"ip_addr":"10.5.6.7"}


GET my-index/_search
{
  "query": {
    "terms": {
      "ip_addr": [
        "192.168.0.0/16",
        "127.16.0.0/16",
        "10.0.0.0/8"
      ]
    }
  }
}
1 Like

Thanks for your response.

But I don't have access to delete and recreate index. Can you suggest any alternate solution?