Regex with "interval" flag enabled to filter private-ip-addresses

In the kibana visualization query interface, in the "Add filter -> Edit as Query DSL" editor, I am using the below "REGEX" filter queries with the "INTERVAL" flag set, to filter the Private-IP addresses. I did check the search output and seems to works. The use of the INTERVAL facility seems to be more clean and readable. Note I do know there exits the CIDR notation, but since my "ipa" field is set to type "keyword" I guess I will not be able to use the CIDR notation until the administrator changes the field to type "ip" and re-indexes the data, till then I plan to use the below technique. Is there any shortcomings in using this INTERVAL facility?

// filter1  (10.0.0.0 – 10.255.255.255)
{
  "query": {
    "regexp": {
      "ipa": {
        "value": "10[.]<0-255>[.]<0-255>[.]<0-255>",
        "flags": "INTERVAL"
      }
    }
  }
}

// filter2  (172.16.0.0 – 172.31.255.255)
{
  "query": {
    "regexp": {
      "ipa": {
        "value": "172[.]<16-31>[.]<0-255>[.]<0-255>",
        "flags": "INTERVAL"
      }
    }
  }
}

// filter3  (192.168.0.0 – 192.168.255.255)
{
  "query": {
    "regexp": {
      "ipa": {
        "value": "192[.]168[.]<0-255>[.]<0-255>",
        "flags": "INTERVAL"
      }
    }
  }
}

// filter4  (169.254.1.0 - 169.254.254.255)  (link-local) 
{
  "query": {
    "regexp": {
      "ipa": {
        "value": "169[.]254[.]<1-254>[.]<0-255>",
        "flags": "INTERVAL"
      }
    }
  }
}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.