How to store array of IP?

esamudio · May 31, 2016, 4:57pm

I have noticed that I'm unable to create an array of IP the same way I can create an array of either integers or strings as it doesn't seem to be recognized by default. Is there a way for me to create an array of IP?

If it helps, if someone knows how ES interprets an IP (as documentation says its stored as a long), I'm also open to suggestions as I can write up code to parse the IPs into whatever format ES converts it to so I can possibly create an array of longs and store them as IP?

Thanks for the help!

msimos · May 31, 2016, 6:59pm

Hi,

You should be able to use a mapping like:

PUT ips
{
  "mappings": {
    "type": {
      "properties": {
        "ips" : {
          "type": "ip"
        }
      }
    }
  }
}

Index a document like this:

POST ips/type
{
  "ips": ["123.123.123.123","10.0.0.1"]
}

Then you can search using something like this:

GET /ips/_search
{
  "query": {
    "term": {
      "ips": {
        "value": "10.0.0.1"
      }
    }
  }
}

Which results in a match of the following document:

 "hits": {
    "total": 1,
    "max_score": 0.30685282,
    "hits": [
      {
        "_index": "ips",
        "_type": "type",
        "_id": "AVUILG5rcBlij3ua9lEz",
        "_score": 0.30685282,
        "_source": {
          "ips": [
            "123.123.123.123",
            "10.0.0.1"
          ]
        }
      }
    ]
  }

esamudio · June 1, 2016, 1:05am

Thanks for the answer!

I tried doing that as the documentation says that any field can be an array by just appending elements. The problem that occurred is that ES would give an error saying there was a mismatch in between arrays of type long vs type IP (expected by mapping). Would you know if there's a way around this?

msimos · June 1, 2016, 1:51am

Hi,

Sorry I don't understand the question. I provided you an example of how you would create an array of type ip. Is there something as to what I demonstrated that doesn't meet your needs? You just need to use square brackets to specify an array in your document as I demonstrated above.

esamudio · June 1, 2016, 10:28am

It's my fault for not providing enough information/being clear enough. I followed your instructions as listed and I'm not sure if I'm doing something wrong because I get the following exception:

{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"failed to parse"}],"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_state_exception","reason":"Mixing up field types: class org.elasticsearch.index.mapper.core.LongFieldMapper$LongFieldType != class org.elasticsearch.index.mapper.ip.IpFieldMapper$IpFieldType on field ips"}},"status":400}

That's what happened when I first tried to make an array of IPs and I'm not sure how to circumvent that.

msimos · June 2, 2016, 2:28am

Can you provide the mapping and a sample document you're trying to index?

esamudio · June 2, 2016, 4:44pm

I created a dummy index following the steps above. My dummy index is called "com".

curl -XPUT 'http://localhost:9200/com' -d '{
	"mappings": {
		"type": {
			"properties": {
				"ips": {
					"type": "ip"
				}
			}
		}
	}
}'

I then indexed the sample ip array into the "com" index in the "anytype" type with id "1".

curl -XPOST 'http://localhost:9200/com/anytype/1' -d '{
	"ips": ["123.123.123.123", "10.0.0.1"]
}'

This gave me the error:

{
	"error": {
		"root_cause": [{
			"type": "mapper_parsing_exception",
			"reason": "failed to parse"
		}],
		"type": "mapper_parsing_exception",
		"reason": "failed to parse",
		"caused_by": {
			"type": "illegal_state_exception",
			"reason": "Mixing up field types: class org.elasticsearch.index.mapper.core.LongFieldMapper$LongFieldType != class org.elasticsearch.index.mapper.ip.IpFieldMapper$IpFieldType on field ips"
		}
	},
	"status": 400
}

I appreciate you taking the time to help me debug this