It is an encoded comma… I will give it a try with an unencoded comma.
Update Not working unfortunately.
I’ve also tried the “new” API, which, unfortunately, only returns csv, but it seems, that the query string is a hard one:
{
"query_string": {
"type": "elasticsearch",
"query_string": "test_client_ip:172.21.192.0/19"
},
"timerange": {
"type": "relative",
"range": 86400
},
"chunk_size": "500",
"streams": [
"5f218679a45add539817c246",
"5f218612a45add539817c1cc"
],
"limit": "500",
"fields_in_order": [
"client_ip",
"url"
]
}
I would prefer to return json, but as its also been marked as deprecated…I will do the csv to json convert in my application…
UPDATE2: the api is returning 200, but in graylog server log:
Caused by: org.graylog2.indexer.ElasticsearchException: ElasticsearchException[Failed to execute Search After request]; nested: ElasticsearchException[Elasticsearch exception [type=search_phase_execution_exception, reason=all shards failed]]; nested: ElasticsearchException[Elasticsearch exception [type=tok
en_mgr_error, reason=token_mgr_error: Lexical error at line 1, column 31. Encountered: <EOF> after : "/16"]];
Seems to be a bug ^.^
Final body for searching in cidr ranges with the new csv api:
{
"query_string": {
"type": "elasticsearch",
"query_string": "test_client_ip:(172.21.192.0\\/19)"
},
"timerange": {
"type": "relative",
"range": 86400
},
"chunk_size": "500",
"streams": [
"5f218679a45add539817c246",
"5f218612a45add539817c1cc"
],
"limit": "500",
"fields_in_order": [
"client_ip",
"url"
]
}
Here is the key, that I was forced to escape the slash with a backslash (similar to what you would use in the UI) and then escape backslash.
Hope it helps somebody…