Can you explain me why this search string: netflow.ipv4_src_addr:[192.168.150.0 TO 192.168.255.255]
give me ip addresses from 192.168.2.0, 192.168.23.0 etc.
I expected something like 192.168.150.xx, 192.168.151.xx ... .... ... 192.168.255.255. So, not <150 in 3 octet!
How should I make this query? (From 150 to 255 in 3 octet)
What's your field_type?
https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html
netflow.ipv4_dst_addr string
netflow.ipv4_dst_addr.keyword string
netflow.ipv4_src_addr string
netflow.ipv4_src_addr.keyword string
Because you have a string datatype, your search string gets separated by dost and searched by parts.
Try using IP datatype:
https://www.elastic.co/guide/en/elasticsearch/reference/current/ip.html
ok, should I change the datatype?
I don't clearly understand what I should do. Is "reindex" is my case?
I tried to do this but it doesn't make result.
PUT /netflow-2018.05.18
{
"mappings": {
"netflow": {
"dynamic": true,
"properties": {
"ipv4_src_addr": {
"type": "ip"
},
"ipv4_dst_addr": {
"type": "ip"
},
"xlate_src_addr_ipv4": {
"type": "ip"
},
"xlate_dst_addr_ipv4": {
"type": "ip"
}
}
}
}
}
The result is an error.
{
"error": {
"root_cause": [
{
"type": "resource_already_exists_exception",
"reason": "index [netflow-2018.05.18/jZOpeOEATcekrz6VSMZHBA] already exists",
"index_uuid": "jZOpeOEATcekrz6VSMZHBA",
"index": "netflow-2018.05.18"
}
],
"type": "resource_already_exists_exception",
"reason": "index [netflow-2018.05.18/jZOpeOEATcekrz6VSMZHBA] already exists",
"index_uuid": "jZOpeOEATcekrz6VSMZHBA",
"index": "netflow-2018.05.18"
},
"status": 400
}If your doing a reindex, the output should be a new existing index.
I suggest you first create an index with predefined mapping and then reindex data into it or fill in data from scratch.