Search IPV6 only in Kibana for nginx access log

I have nginx access logs with IPV6 and IPV4 entries.

Is there a way to write KQL (or Lucene), so I find only IPV6 entries in the source.ip field?

Example of entries:

Mar 13, 2020 @ 11:21:59.000	200	141.8.142.31	noty.propovednik.com
Mar 13, 2020 @ 11:21:58.000	206	2a00:1fa0:4205:610b:0:4e:fb1e:8701	propovednik.com

I tried to search for entries, which has ":" in them, but such query fails:

source.ip: "*:*"

Error:

{"type":"illegal_argument_exception","reason":"'*:*' is not an IP string literal."}}}]},"status":400}

You can use a CIDR search with an IP datatype.

You might expect this to work: client_ip:"::/0" but it doesn't, it still shows everything.

But this only shows v6 addresses: NOT client_ip:"0.0.0.0/0"

(tested on ES 6.6.2)

1 Like

Looks like that doesn't do anything.
I see both IPV4 and IPV6 with that query:

Same result with NOT client_ip:"0.0.0.0/0", too

Works for me:

this behaviour might be version-dependent, what version of ES are you using?

It does work!
My apologies.

I just have field, which is called source.ip, not client_ip.

I'm using Kibana 7.6.0.

Thank you!

1 Like

I hope that facepalm wasn't too hard :smiley:

Time for the weekend?