[SOLVED] Kibana search on IP part

axelfelix · May 2, 2016, 2:52pm

Hello,

When I make a curl request against elasticsearch with "_analyze" option I get tokens that I want (example with ip address 192.168.100.1):

"detail" : {
    "custom_analyzer" : true,
    "tokenizer" : {
      "name" : "ip_4_tokenizer",
      "tokens" : [ {
        "token" : "192",
        "start_offset" : 0,
        "end_offset" : 3,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32]"
      }, {
        "token" : "192.168",
        "start_offset" : 0,
        "end_offset" : 7,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32 2e 31 36 38]"
      }, {
        "token" : "192.168.100",
        "start_offset" : 0,
        "end_offset" : 11,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32 2e 31 36 38 2e 31 30 30]"
      }, {
        "token" : "192.168.100.1",
        "start_offset" : 0,
        "end_offset" : 13,
        "type" : "word",
        "position" : 0,
        "positionLength" : 1,
        "bytes" : "[31 39 32 2e 31 36 38 2e 31 30 30 2e 31]"

Search_analyzer:

"custom-search_analyzer": {
    "type": "custom",
    "tokenizer": "keyword",
    "filter": ["remove_trailing_dot"]
}
"remove_trailing_dot": {
    "type": "pattern_replace",
    "pattern": "\\.$",
    "replace": ""
}

Custom analyzer:

"my_ipv4_analyzer": {
    "type": "custom",
    "tokenizer": "ip_4_tokenizer"
}
"ip_4_tokenizer": {
    "type": "path_hierarchy",
    "delimiter": "."
}

In kibana when I make a search like (on client field) "192.168.100.1" or "client:192.168.100.1" I get a results. But when I try with "192.168" or "192.168." I didn't get any result.

I don't understand why ?

If you have any idea.

Thanks in advance,
Alex

Bargs · May 2, 2016, 10:37pm

Does it work if you query elasticsearch directly with something like Curl, Postman, or Sense?

Did you configure the custom analyzer for your ip field prior to indexing your data?

And if you don't mind me asking, why do you need a custom analyzer? You could search for IPs in a certain range by using wildcards like client:192.168.*

axelfelix · May 3, 2016, 10:02am

Thanks for your answer.

I found my mistake. I tried to update index settings on the fly and it erased some settings because I didn't put them during update.

I delete the index and I put again all the settings and mappings. So now it works.

Thanks again.
Alex

Topic		Replies	Views
[SOLVED] Question about custom analyzer Elasticsearch	7	1671	July 5, 2017
ElasticSearch : Custom Analyzer Discussions en français	10	2688	July 6, 2017
Analyzer in Kibana Elasticsearch	5	385	June 6, 2018
Custom text analyzer for url encoded logs Elasticsearch	1	132	November 10, 2022
Analyzer API does not work for Elasticsearch 1.7 Elasticsearch	3	572	May 3, 2017

[SOLVED] Kibana search on IP part

Related topics