Hi @alyx !
So you want the ability to check if an IP belongs to a pre-determined list of IPs that is populated somewhere somehow and you wanna do that directly in ESQL?
Are you able to have those IPs dumped to a field in an index? If yes, then one possible way to achieve this is to use a combination of VALUES and MV_CONTAINS. Both functions support the IP type.
Example.
Assuming some_index has column ip of type IP.
FROM some_index
# dedupes the passed field into a single multi-valued list
| STATS ips = VALUES(ip)
# true if-and-only-if every element in the subset (second param) belongs to the superset (first param)
# pass any number of IPs in the subset
| EVAL found = MV_CONTAINS(ips, [some_ip_1, some_ip2, ...])