Nested/hierarchical Elasticsearch query syntax?

jlixfeld · May 25, 2018, 8:04pm

Hey there,

I'm having a hard time wrapping my head around Elasticsearch search syntax in Kibana.

I have created this filter that works:

{
  "query": {
    "bool": {
      "should": [
        {
          "match": {
            "flow.src_addr": "10.0.0.0/24"
          }
        },
        {
          "match": {
            "flow.dst_addr": "10.0.0.0/24"
          }
        },
        {
          "match": {
            "flow.src_addr": "10.0.1.0/24"
          }
        },
        {
          "match": {
            "flow.dst_addr": "10.0.1.0/24"
          }
        }
      ]
    }
  }
}

What I'm trying to do is simplify that syntax to the Elasticsearch equivalent of something along the lines of:

((flow.dst_addr OR flow.src_addr) AND (10.0.1.0/24 OR 10.0.3.0/24 OR 10.0.3.0/24 OR 10.13.18.0/24 OR ... etc))

Is that possible?

Christian_Dahlqvist · May 26, 2018, 5:30am

Assuming you IP fields are mapped as type ip, you should be able to use a term query to do what you are looking for.

system · June 23, 2018, 5:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.