I have nginx access logs with IPV6 and IPV4 entries.
Is there a way to write KQL (or Lucene), so I find only IPV6 entries in the source.ip field?
Example of entries:
Mar 13, 2020 @ 11:21:59.000 200 141.8.142.31 noty.propovednik.com
Mar 13, 2020 @ 11:21:58.000 206 2a00:1fa0:4205:610b:0:4e:fb1e:8701 propovednik.com
I tried to search for entries, which has ":" in them, but such query fails:
source.ip: "*:*"
Error:
{"type":"illegal_argument_exception","reason":"'*:*' is not an IP string literal."}}}]},"status":400}
You can use a CIDR search with an IP datatype.
You might expect this to work: client_ip:"::/0" but it doesn't, it still shows everything.
But this only shows v6 addresses: NOT client_ip:"0.0.0.0/0"
(tested on ES 6.6.2)
1 Like
Looks like that doesn't do anything.
Same result with NOT client_ip:"0.0.0.0/0", too
Works for me:
this behaviour might be version-dependent, what version of ES are you using?
It does work!
I just have field, which is called source.ip, not client_ip.
I'm using Kibana 7.6.0.
Thank you!
1 Like
I hope that facepalm wasn't too hard
Time for the weekend?
system
April 10, 2020, 8:19pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
