In the kibana visualization query interface, in the "Add filter -> Edit as Query DSL" editor, I am using the below "REGEX" filter queries with the "INTERVAL" flag set, to filter the Private-IP addresses. I did check the search output and seems to works. The use of the INTERVAL facility seems to be more clean and readable. Note I do know there exits the CIDR notation, but since my "ipa" field is set to type "keyword" I guess I will not be able to use the CIDR notation until the administrator changes the field to type "ip" and re-indexes the data, till then I plan to use the below technique. Is there any shortcomings in using this INTERVAL facility?
// filter1 (10.0.0.0 – 10.255.255.255)
{
"query": {
"regexp": {
"ipa": {
"value": "10[.]<0-255>[.]<0-255>[.]<0-255>",
"flags": "INTERVAL"
}
}
}
}
// filter2 (172.16.0.0 – 172.31.255.255)
{
"query": {
"regexp": {
"ipa": {
"value": "172[.]<16-31>[.]<0-255>[.]<0-255>",
"flags": "INTERVAL"
}
}
}
}
// filter3 (192.168.0.0 – 192.168.255.255)
{
"query": {
"regexp": {
"ipa": {
"value": "192[.]168[.]<0-255>[.]<0-255>",
"flags": "INTERVAL"
}
}
}
}
// filter4 (169.254.1.0 - 169.254.254.255) (link-local)
{
"query": {
"regexp": {
"ipa": {
"value": "169[.]254[.]<1-254>[.]<0-255>",
"flags": "INTERVAL"
}
}
}
}