Hi there.
I have a elasticsearch index with a ip address field in the mapping:
"address" : {
"type" : "ip"
},
I need to know if I can search for any ip byte component, for example, having a document with ip "172.13.200.1", I make a query searching for byte '200', I need to get all documents with:
200...*
.200..*
..200.*
..*.200
Is that possible?
Thanks
I'm wondering if you can do that using a bool query with 4 should clauses using ip masks like:
"term": {
"address": "192.168.0.0/16"
}
I have no idea if this would work 
.
It is not, you can't query for individual octets, but you can make cidr queries as the example in the documentation.
I guess the only way then is to index also the ip address a text field with the default analyzer, that should work out of the box.
I had this requirement in a past job, the solution I used was to index each octet as different fields and store them as keywords.
Not sure if indexing as a text field would achieve the same result beause the position is relevant.
For the use case mentioned at the start, the position is not relevant. That's why I suggested this approach.
Otherwise, in addition to @leandrojmp solution, it's possible to index it as a keyword and run a "slow" regex. But I definitely prefer splitting in 4 fields. Much faster at search time! 
Thank you to both of you.
Yes, I already thought on indexing the field also as text, but I could do it just only with the ip field type.
Cheers
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.