Wildcard failed under query_string


(bobo tm) #1

i want to query es like this:
curl -H 'Content-Type: application/json' -XGET 'http://172.19.1.252:9200/logstash-apache_access2018-05*/_search?pretty&ignore_unavailable=true&size=0' -d '{
"aggs": {
"counts": {
"terms": {
"field": "geoip.ip",
"size": 50
}
}
},
"query": {
"bool": {
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gt": "2018-05-30T01:35:19.668263Z",
"lte": "2018-05-30T01:36:09.599633Z"
}
}
},
{
"query_string": {
"query": ""
}
},
{
"query_string": {
"query": "NOT geoip.ip:1.2.3.4"
}
},
{
"query_string": {
"query": "NOT geoip.ip: a.b.c.
"
}
}
]
}
}
}
}
}'
what i want is to exclude a ip 1.2.3.4 and ip _range from a.b.c.1 to a.b.c.254 in my information,when i query,i found the ip
1.2.3.4 is not in my info any more,but the ips who is under a.b.c.* is still stay in my info but it is not what i want.
so,i want to learn how to write my query rules if using wildcard in "query": "NOT geoip.ip: a.b.c.*"


(David Pilato) #2

It mostly depends on the mapping you have.

Why not using a range query on a ip type field?


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.