Hi,
I'm trying to filter some IP's but for whatever reason something like source:10.* will also show IP's in the 100.xxx etc. range while it should show only 10.xxx.
Using a similar query for 192.168.* or 172.16.* works without problems and returns only the correct ranges.
Why isn't this working for 10.*?
What mapping are you using for the ip field? Is the field mapped as IP type or keyword type?
When mapping as the IP, * did not return any matching results. When mapping as keywork, the query worked as expected
Below is a sample data set. Run the following scripts in Dev tools
PUT test
{}
PUT test/_mapping
{
"properties": {
"ip_addr": {
"type": "keyword"
}
}
}
PUT test/_doc/1
{
"ip_addr": "100.168.1.1"
}
PUT test/_doc/2
{
"ip_addr": "10.168.1.1"
}
Then the query worked as expected
Its mapped as a keyword. However the problem isn't that 10.* doesn't return any results, the problem is that it returns too many results.
10.* should only match 10.* IP's, but instead it also matches IP's such as 100.*.
I did not see that in the provided example. Can you show some of the matching results that you think should be shown? Do they have 10. for any of the octets?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
