I have uploaded some syslogs through logstash into Elasticsearch and I am visualising these logs with Kibana 4.5.1. One of the fields is the destination IP and I have configured that as an IP address in Elastic ("type" : "ip"). Now I'm interested in finding the broadcast messages by searching for all messages with a destination IP ending with 255. I have tried entering Source_IP:*.*.*.255 in Kibana but this gave me the following error message: NumericTokenStream does not support CharTermAttribute. Is there another syntax for doing this?
Performing a wildcard query can be very slow as the data is not indexed. With the IP field type you can search on ranges. Do you have multiple subnets you need to search across where the broadcast IP would differ?
Ranges would be helpful If I have the opposite of this use case, i.e. if my wildcards where at the end of the IP address not at the beginning. There are no specific subnets, I wanted to search for broadcast messages in general.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.