Use CIDR masks from Discover tab?


(Rob Buhler) #1

I know there is the ability in Kibana to search by an IP range
ex: ip:["128.0.0.0" TO "191.255.255.255"]

and there is also the ability to use CIDR masks when creating a new
aggregation (Visualization tab).

My question is can you somehow use CIDR masks from the Discovery view?

ex: ip:"128.0.0/2"

every variation I have tried has resulted in an error for invalid syntax or there is an error with the request.

If this does not exist yet, is it something that is planned for a future release?

thanks.


(Rob Buhler) #2

just happened to see this ticket - https://github.com/elastic/elasticsearch/issues/7464


(Tanya Bragin) #3

Yeah, until Elasticsearch natively supports it in Lucene query syntax, Kibana Discover search won't support it either. The query from the search bar is passed straight through to Elasticsearch.


(Rob Buhler) #4

thanks for the reply! I'll wait and see if this gets added to Elasticsearch


(Mat Williamson) #5

This would be extremely useful for our firewall team and might help us displace some more Splunk!


(Mark Walkom) #6

Turns out you can do this using this query - {"term" : {"ip" : "192.168.0.0/24"}} (NOTE: applies to ES 2.2 only sorry!).

Thanks to @lukas for digging it up :smiley:


(system) #7