How to store array of IP?

Elastic Stack Elasticsearch
1

I have noticed that I'm unable to create an array of IP the same way I can create an array of either integers or strings as it doesn't seem to be recognized by default. Is there a way for me to create an array of IP?

If it helps, if someone knows how ES interprets an IP (as documentation says its stored as a long), I'm also open to suggestions as I can write up code to parse the IPs into whatever format ES converts it to so I can possibly create an array of longs and store them as IP?

Thanks for the help!

2

Hi,

You should be able to use a mapping like:

PUT ips
{
  "mappings": {
    "type": {
      "properties": {
        "ips" : {
          "type": "ip"
        }
      }
    }
  }
}

Index a document like this:

POST ips/type
{
  "ips": ["123.123.123.123","10.0.0.1"]
}

Then you can search using something like this:

GET /ips/_search
{
  "query": {
    "term": {
      "ips": {
        "value": "10.0.0.1"
      }
    }
  }
}

Which results in a match of the following document:

 "hits": {
    "total": 1,
    "max_score": 0.30685282,
    "hits": [
      {
        "_index": "ips",
        "_type": "type",
        "_id": "AVUILG5rcBlij3ua9lEz",
        "_score": 0.30685282,
        "_source": {
          "ips": [
            "123.123.123.123",
            "10.0.0.1"
          ]
        }
      }
    ]
  }
1 Like
3

Thanks for the answer!

I tried doing that as the documentation says that any field can be an array by just appending elements. The problem that occurred is that ES would give an error saying there was a mismatch in between arrays of type long vs type IP (expected by mapping). Would you know if there's a way around this?

4

Hi,

Sorry I don't understand the question. I provided you an example of how you would create an array of type ip. Is there something as to what I demonstrated that doesn't meet your needs? You just need to use square brackets to specify an array in your document as I demonstrated above.

5

It's my fault for not providing enough information/being clear enough. I followed your instructions as listed and I'm not sure if I'm doing something wrong because I get the following exception:

{"error":{"root_cause":[{"type":"mapper_parsing_exception","reason":"failed to parse"}],"type":"mapper_parsing_exception","reason":"failed to parse","caused_by":{"type":"illegal_state_exception","reason":"Mixing up field types: class org.elasticsearch.index.mapper.core.LongFieldMapper$LongFieldType != class org.elasticsearch.index.mapper.ip.IpFieldMapper$IpFieldType on field ips"}},"status":400}

That's what happened when I first tried to make an array of IPs and I'm not sure how to circumvent that.

6

Can you provide the mapping and a sample document you're trying to index?

7

I created a dummy index following the steps above. My dummy index is called "com".

curl -XPUT 'http://localhost:9200/com' -d '{
	"mappings": {
		"type": {
			"properties": {
				"ips": {
					"type": "ip"
				}
			}
		}
	}
}'

I then indexed the sample ip array into the "com" index in the "anytype" type with id "1".

curl -XPOST 'http://localhost:9200/com/anytype/1' -d '{
	"ips": ["123.123.123.123", "10.0.0.1"]
}'

This gave me the error:

{
	"error": {
		"root_cause": [{
			"type": "mapper_parsing_exception",
			"reason": "failed to parse"
		}],
		"type": "mapper_parsing_exception",
		"reason": "failed to parse",
		"caused_by": {
			"type": "illegal_state_exception",
			"reason": "Mixing up field types: class org.elasticsearch.index.mapper.core.LongFieldMapper$LongFieldType != class org.elasticsearch.index.mapper.ip.IpFieldMapper$IpFieldType on field ips"
		}
	},
	"status": 400
}

I appreciate you taking the time to help me debug this :slight_smile: