In-between Query for IP data type

I need to understand how to create in-between query for IP datatype. I need a specific example for IPv6 addresses

Please find some example which might explain. Let me know if helped you

# Insert some ipv6 examples into an index
PUT my-index-000001
{
  "mappings": {
    "properties": {
      "ip_addr": {
        "type": "ip"
      }
    }
  }
}

PUT my-index-000001/_doc/2
{
  "ip_addr": "2607:f0d0:1002:51::2"
}

PUT my-index-000001/_doc/3
{
  "ip_addr": "2607:f0d0:1002:0051:0000:0000:0000:0003"
}

Now search using IPv6 CIDR notation

GET my-index-000001/_search
{
  "query": {
    "term": {
      "ip_addr": "2607:f0d0::/26"
    }
  }
}

Thanks for the response, does this mean, I will have to index all the IPv6 addresses into an index to be able to search using CIDR? if so is there any mechanism that allows for loading all the IPv6 addresses to an index?

Thanks for the response, does this mean, I will have to index all the IPv6 addresses into an index to be able to search using CIDR?

no you don't need to. I was just giving an example to simulate the data

The only thing you need to be careful is the "mapping" of the field of ip_address. That needs to be type of type "ip"
So the index which you have loaded , try to change the mapping of the field where the ip_addr resides to ip and then you have full flexiblity

I still am not very clear, In the previous example I loaded two IP and then did CIDR search, which brought out all the matches (in this case 2 that I have previously put). What about the IP's I have not added, I would have expected the CIDR range search to give all matching IP's irrespective of them being in the index.

In my usecase I will have startIP and endIP only, I will need to figure out if the input IP is between the startIP and endIP, can you please put up an example and explain?

2607:f0d0::/26 range include 67 ips. Check here CIDR to IPv6 Address Range Utility Tool | IPAddressGuide
Kin's Query will match all documents where ip_addr is in one of these 67 ips.

Alternatively you can use range query

{
  "query": {
    "range": {
      "ip_addr": {
        "gte": "2001:0000:3238:DFE1:64::FEFB",
        "lt": "2001:0000:3238:DFE1:66::FEFC"
      }
    }
  }
}

I did try the curl

curl -XGET 'localhost:9200/my-index-000001/_search?pretty' -H 'Content-Type: application/json' -d'
{
  "query": {
    "term": {
      "ip_addr": "2607:f0d0::/26"
    }
  }
}
'
and got response as
```{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 2,
      "relation" : "eq"
    },
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "my-index-000001",
        "_type" : "_doc",
        "_id" : "2",
        "_score" : 1.0,
        "_source" : {
          "ip_addr" : "2607:f0d0:1002:51::2"
        }
      },
      {
        "_index" : "my-index-000001",
        "_type" : "_doc",
        "_id" : "3",
        "_score" : 1.0,
        "_source" : {
          "ip_addr" : "2607:f0d0:1002:0051:0000:0000:0000:0003"
        }
      }
    ]
  }
}```

Am I missing something? I am using Elasticsearch 7.7.0. I did try your range query with Ken's IP address, I still did not get the list of IPs in the response

this is what you expected I hope? ie. when you query for a range in cidr notation, you get what you have indexed. If you PUT an IP which is NOT part of the CIDR it shoudn't GET the value

It would mean that the index will need to have all the IPv6 IPs that matches the CIDR search? If yes, I need to know of a mechanism to get all IPv6 addresses into an index, please let me know if you are aware of any.

Why?

Aren't you querying documents who's ip_addr value between IP1 and IP2? If yes, range query will allow you to explicitly specify IP1 and IP2.

Cidr in term query will resolve to IP1 and IP2. For ex. for 2607:f0d0::/26 IP1 will be
2607:F0D0:0000:0000:0000:0000:0000:0000) and IP2 will be 2607:F0FF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF

Like I said before, my use case is to find out if 2607:F0D0:0000:0000:0000:0000:0000:0023 is in between, 2607:F0D0:0000:0000:0000:0000:0000:0000and 2607:F0FF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF using in between query.

I need to do this process for any IPv6 IPs that are currently in use. So for this to work, I will first need to create an index of such IPs and then use the CIDR in term to get the list of all the IPs that match.

Is my understanding correct?

I am tying to figure out if I can use "ip" datatype to get to figure the out the all the IP's within a CIDR range, without the index not having each explicit IP

ex: I want to find out if 2804:7f0:a081:3f91:a0d4:2294:a75b:2945 is between 2804:07f0:a081:3f91:0000:0000:0000:0000 and 2804:07f0:a081:3f91:ffff:ffff:ffff:ffff
and list all other matching IPs as well

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.