Query a specific IP address in Elastic

ianrobo · March 22, 2022, 10:38am

Hi there,

I am relatively new to elastic and expanding our ES daily.

We are ingesting logs from various network devices but come across a problem in Cisco. They do not send the hostname in their syslog and therefore all we get is for example

log.source.address: 10.1.1.1:56783 (where the port is random)

Therefore in KQL there are many entries for one device and seems no way to simply wildcard 10.1.1.1.

Using Lucene we need to build a regular expression for this and tried various formats but as ^ is not supported there seems no way to say

log.source.address:10/.1/.1/.1:<1-99999> and produce a result from this or using various combinations.

Can anyone advise the best code for this ?

Thanks in advance for the advice.

Cheers,
Ian

spinscale · March 22, 2022, 12:19pm

Instead of trying to figure out how to write a full text search query a more efficient way of solving this would be to store the ip address in a dedicated field of the type IP and query that field...

does that make sense to you?

ianrobo · March 22, 2022, 12:34pm

if that is possible Alexander, certainly, so I was trying to search for a way to convert the output of log.source.address: 10.1.1.1:56783 to say logsource.ip:10.1.1.1 online but could not find it, could you direct me to the resource for that.

Cheers,
Ian

Topic		Replies	Views
Kibana: howto query for IPaddr:Port in String with regex/wildcard Elasticsearch	2	1453	July 6, 2017
I want to output log to elasticsearch index from only specific "host.ip" Logstash	5	1483	April 6, 2021
Wildcard for source.ip field Elasticsearch	5	3411	February 25, 2022
Wildcard query Elasticsearch	3	2051	February 16, 2018
Searching for a broadcast IP in Kibana Kibana	5	2043	July 6, 2017

Query a specific IP address in Elastic

Related topics