Indexing CIDR block e.g.: 192.168.1.0/24

vramakrishnan · April 14, 2018, 4:20am

Is there a solution to index fields in CIDR block format and have the same "ip" datatype like functionality with CIDR query. ?

Using ip-type mapping, I got this error.

"error": {
    "root_cause": [
        {
            "type": "mapper_parsing_exception",
            "reason": "failed to parse [ip_addr]"
        }
    ],
    "type": "mapper_parsing_exception",
    "reason": "failed to parse [ip_addr]",
    "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "'192.168.1.0/24' is not an IP string literal."
    }

val · April 14, 2018, 6:37am

Can you show your mapping and the query you're sending?

vramakrishnan · April 14, 2018, 4:25pm

Hi

Here is the mapping :

PUT http://192.168.128.32:7013/testindex

{
  "mappings": {
    "_doc": {
      "properties": {
        "ip_addr": {
          "type": "ip"
        }
      }
    }
  }
}

Here is the index PUT request:

PUT http://192.168.128.32:7013/testindex/_doc/2
{
  "ip_addr": "192.168.1.0/24"
}

And the request fails with ...

"error": {
    "root_cause": [
        {
            "type": "mapper_parsing_exception",
            "reason": "failed to parse [ip_addr]"
        }
    ],
    "type": "mapper_parsing_exception",
    "reason": "failed to parse [ip_addr]",
    "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "'192.168.1.0/24' is not an IP string literal."
    }
}

val · April 14, 2018, 4:52pm

If I'm not mistaken you can only search CIDR blocks but not index them

dadoonet · April 14, 2018, 4:55pm

You can index it as a range with https://www.elastic.co/guide/en/elasticsearch/reference/6.2/range.html

vramakrishnan · April 14, 2018, 9:24pm

ip_range works great, thanks for the suggestion. Term query on this works well.

Is full text search possible on ip_range fields ?

I have this mapping and text search failed on this ip-range. Wondering if there is solution to achieve this.

curl localhost:10201/ipindex/_mapping?pretty
{
  "ipindex" : {
    "mappings" : {
      "_doc" : {
        "properties" : {
          "dst_ip" : {
            "type" : "ip_range"
          },
          "src_ip" : {
            "type" : "ip_range"
          }
        }
      }
    }
  }
}

$ curl localhost:10201/ipindex/_search
{"took":2,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},"hits":{"total":1,"max_score":1.0,"hits":[{"_index":"ipindex","_type":"_doc","_id":"1","_score":1.0,"_source":{
  "src_ip": "10.2.0.0/16",
  "dst_ip": "10.3.0.128/29"
}
}]}}

$ curl localhost:10201/ipindex/_search?q=10.2.0.0
{"took":4,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},**"hits":{"total":0,"max_score":null,"hits":[]**}}

$ curl localhost:10201/ipindex/_search?q=src_ip:10.2.1.254
{"took":3,"timed_out":false,"_shards":{"total":5,"successful":5,"skipped":0,"failed":0},"hits":{"total":1,"max_score":1.0,"hits":[{"_index":"ipindex","_type":"_doc","_id":"1","_score":1.0,"_source":{
  "src_ip": "10.2.0.0/16",
  "dst_ip": "10.3.0.128/29"
}
}]}}

system · May 12, 2018, 9:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
CIDR query on ip_range field not working Elasticsearch	1	753	June 27, 2018
Custom Analyser for IPv4 Mapped IPv6 Elasticsearch	1	464	December 30, 2021
CIDR query on ip range [2nd try] Elasticsearch	1	530	August 22, 2018
ElasticSearch does not allow IPv6-mapped IPv4 address in field of type ip_range Elasticsearch	1	355	December 29, 2021
In-between Query for IP data type Elasticsearch	13	1250	August 27, 2020

Indexing CIDR block e.g.: 192.168.1.0/24

Related topics