Wildcard for source.ip field

Hi there,

I would like to know how to fix this search (if is possible of course):

(winlog.channel:"Security" AND (winlog.event_id:"4624" AND winlog.event_data.LogonType:"10") AND (NOT (source.ip:(10.* OR 192.168.* OR 172.31* OR 172.30.* OR 172.29.* OR 172.28.* OR 172.27.* OR 172.26.* OR 172.25.* OR 172.24.* OR 172.23.* OR 172.21.* OR 172.20.* OR 172.19.* OR 172.18.* OR 172.17.* OR 172.16.* OR fd* OR fc* OR* OR \:\:1*))))

The results I got back is always:

Can only use prefix queries on keyword, text and wildcard fields - not on [source.ip] which is of type [ip]"

Help pls.

Thanks for the attention.

As the documentation says "the most common way to query ip addresses is to use the CIDR notation": [ip_address]/[prefix_length]

For example, to search for 172.30.*, you can use a query:

  "query": {
    "term": {
      "ip": ""

That´s great!!! :slight_smile:

My question is, that´s the only way?? If you say so I´m ok....


You can also use range query on ip addresses, like:

  "query": {
    "range": {
      "ip": {
        "gte": "",
        "lte": ""

Ok, understood! Now I´m trying to use a rule from Elastic using the same schema you just pointed above, but still receiving errors:


event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
  not source.ip:( or or or or or or or or or or or or or or or or or or or or or or or
    "::1" or
    "FE80::/10" or
  ) and
  destination.ip:( or or


Can only use regexp queries on keyword and text fields - not on [source.ip] which is of type [ip]

What I´m doing wrong? Just copied and pasted from the elastic page this rule


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.