[SOLVED] Kibana search on IP part

axelfelix · May 2, 2016, 2:52pm

Hello,

When I make a curl request against elasticsearch with "_analyze" option I get tokens that I want (example with ip address 192.168.100.1):

"detail" : {
    "custom_analyzer" : true,
    "tokenizer" : {
      "name" : "ip_4_tokenizer",
      "tokens" : [ {
        "token" : "192",
        "start_offset" : 0,
        "end_offset" : 3,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32]"
      }, {
        "token" : "192.168",
        "start_offset" : 0,
        "end_offset" : 7,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32 2e 31 36 38]"
      }, {
        "token" : "192.168.100",
        "start_offset" : 0,
        "end_offset" : 11,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32 2e 31 36 38 2e 31 30 30]"
      }, {
        "token" : "192.168.100.1",
        "start_offset" : 0,
        "end_offset" : 13,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32 2e 31 36 38 2e 31 30 30 2e 31]"

Search_analyzer:

"custom-search_analyzer": {
    "type": "custom",
    "tokenizer": "keyword",
    "filter": ["remove_trailing_dot"]
}
"remove_trailing_dot": {
    "type": "pattern_replace",
    "pattern": "\\.$",
    "replace": ""
}

Custom analyzer:

"my_ipv4_analyzer": {
    "type": "custom",
    "tokenizer": "ip_4_tokenizer"
}
"ip_4_tokenizer": {
    "type": "path_hierarchy",
    "delimiter": "."
}

In kibana when I make a search like (on client field) "192.168.100.1" or "client:192.168.100.1" I get a results. But when I try with "192.168" or "192.168." I didn't get any result.

I don't understand why ?

If you have any idea.

Thanks in advance,
Alex

Bargs · May 2, 2016, 10:37pm

Does it work if you query elasticsearch directly with something like Curl, Postman, or Sense?

Did you configure the custom analyzer for your ip field prior to indexing your data?

And if you don't mind me asking, why do you need a custom analyzer? You could search for IPs in a certain range by using wildcards like client:192.168.*

axelfelix · May 3, 2016, 10:02am

Thanks for your answer.

I found my mistake. I tried to update index settings on the fly and it erased some settings because I didn't put them during update.

I delete the index and I put again all the settings and mappings. So now it works.

Thanks again.
Alex