Hello, I am attempting to search my data to only show results for only three source ip ranges that is linked to action:drop but I am still seeing all source ips. Below are the several different search strings I've tried:
action:drop scrip:192.* scrip:10.* scrip:172.*
action:drop scrip:"192.*" scrip:"10.*" scrip:"172."
action:drop scrip:192.* OR scrip:10.* OR scrip:172.*
I've tried several other suggestions from researching online but still unable to only show results for the ip ranges in the search string.
I apologize Chris. In my original post I mistyped the field name. It should be srcip and not scrip. So with that being said... when I do type srcip:192.* OR srcip:10.* OR srcip:172.* it does show only results matching the ip pattern.
well it only works if I have action:drop set as a filter. When I type the following in the query bar it shows other ip ranges: action:drop srcip:192.168.* OR srcip:10.* OR srcip:172.*
so the only way to make this work is by adding the action field as a set filter and not in the query bar?
It seems to work for me. Are there any errors in the console? If not, can you look at the _msearch request in the network tab and paste the request body?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
