Can somebody please explain how the terms filter can be used as a Whitelist / Blacklist for a search. I tried the following, but it did not work. Thanks.
PUT iplist/_doc/_bulk
{ "index":{}}
{ "type" : "C2", "source" : "Test1", "ip": "192.168.1.13"}
{ "index":{}}
{ "type" : "C2", "source" : "Test1", "ip":"192.168.1.14"}
{ "index":{}}
{ "type" : "TOR", "source" : "Test2", "ip": "192.168.2.23"}
{ "index":{}}
{ "type" : "TOR", "source" : "Test2", "ip": "192.168.2.24"}
{ "index":{}}
{ "type" : "Source", "source" : "Test1", "ip": "192.168.1.69"}
GET iplist/_search
PUT traffic/_doc/_bulk
{ "index":{}}
{"seq":1, "sip" : "192.168.8.2", "dip" : "192.168.1.13"}
{ "index":{}}
{"seq":2, "sip" : "192.168.8.4", "dip" : "192.168.1.14"}
{ "index":{}}
{"seq":3, "sip" : "192.168.8.8", "dip" : "192.168.2.23"}
{ "index":{}}
{"seq":4, "sip" : "192.168.8.8", "dip" : "192.168.2.23"}
{ "index":{}}
{"seq":5, "sip" : "192.168.8.2", "dip" : "192.168.1.13"}
{ "index":{}}
{"seq":6, "sip" : "192.168.8.4", "dip" : "192.168.1.14"}
{ "index":{}}
{"seq":7, "sip" : "192.168.1.69", "dip" : "192.168.8.2"}
{ "index":{}}
{"seq":8, "sip" : "192.168.1.69", "dip" : "192.168.8.2"}
GET traffic/_search?pretty
{
"query": {
"terms": {
"dip": {
"index":"iplist",
"id": "*",
"path":"dip"
}
}
}
}