Inconsistent results using Lucene Query Syntax

Elastic Stack Elasticsearch
1

I am using elasticstack for log analysis. When I am querying from Kibana using the Lucene Query Syntax I am gettting some inconsistent results.

The queries along with their respective number of hits are:

clientIP: [66.249.64.* TO 66.249.79.] --> 18,853 hits
1
clientIP: [66.249.80. TO 66.249.93.*] --> 39,630 hits
2

however
clientIP: [66.249.64.* TO 66.249.93.*] --> 92,045 hits
3

Am I doing anything wrong here?

2

What do you get if you try clientIP: [66.249.64.0 TO 66.249.79.255], clientIP: [66.249.80.0 TO 66.249.93.255] and clientIP: [66.249.64.0 TO 66.249.93.255]?

1 Like
3

The results seem to have changed but again the sum doesn't add up

11

22

33

4

What is the mapping of the field?

5

The mapping I used is string

6

OK. That means that the IP format will not be enforced. What results do clientIP: [66.249.79.255 TO 66.249.80.0] and clientIP: [66.249.64.0 TO 66.249.80.0] give?

1 Like
7

This happened

111

222

So does changing the mapping for this field fix this? If yes can you plase suggest how to? (becuase the data is already indexed or is it better to reindex the data?)

8

As you are performing a range query you need to have the same start and end point when you split the interval up as the end value is not included (range is[start <= value < end]). clientIP: [66.249.64.0 TO 66.249.80.0] and clientIP: [66.249.80.0 TO 66.249.94.0] would therefore cover the full range.

If you want to instead map the field as ip you will need to reindex the data into a new index with the correct mapping.

1 Like
9

Thank you very much @Christian_Dahlqvist

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.