How to use the terms filter for a whitelist (or blacklist) for a search

Can somebody please explain how the terms filter can be used as a Whitelist / Blacklist for a search. I tried the following, but it did not work. Thanks.

 PUT iplist/_doc/_bulk
    { "index":{}}
    { "type" : "C2", "source" : "Test1", "ip": "192.168.1.13"}
    { "index":{}}
    { "type" : "C2", "source" : "Test1", "ip":"192.168.1.14"}
    { "index":{}}
    { "type" : "TOR", "source" : "Test2", "ip": "192.168.2.23"}
    { "index":{}}
    { "type" : "TOR", "source" : "Test2", "ip": "192.168.2.24"}
    { "index":{}}
    { "type" : "Source", "source" : "Test1", "ip": "192.168.1.69"}

GET iplist/_search

PUT traffic/_doc/_bulk
{ "index":{}}
{"seq":1, "sip" : "192.168.8.2", "dip" : "192.168.1.13"}
{ "index":{}}
{"seq":2, "sip" : "192.168.8.4", "dip" : "192.168.1.14"}
{ "index":{}}
{"seq":3, "sip" : "192.168.8.8", "dip" : "192.168.2.23"}
{ "index":{}}
{"seq":4, "sip" : "192.168.8.8", "dip" : "192.168.2.23"}
{ "index":{}}
{"seq":5, "sip" : "192.168.8.2", "dip" : "192.168.1.13"}
{ "index":{}}
{"seq":6, "sip" : "192.168.8.4", "dip" : "192.168.1.14"}
{ "index":{}}
{"seq":7, "sip" : "192.168.1.69", "dip" : "192.168.8.2"}
{ "index":{}}
{"seq":8, "sip" : "192.168.1.69", "dip" : "192.168.8.2"}

GET traffic/_search?pretty
{
  "query": {
    "terms": {
      "dip": {
        "index":"iplist",
        "id": "*",
        "path":"dip"
        }
      }
  }
}

2 things here:

  • the path should be ip and not dip.
  • You can't use * for the document id. It must be one single document.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.