Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
How to search based of cidr 192.168.1.0/24 for example
2. Describe your environment:
OS Information:
Package Version:
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
Could you read through these tips (here and/or here) on asking questions and use them to help you fill in more information about what you have, what you have tried, etc.
Do you have example messages? Are the fields already broken out? Are you looking for anything in the range of the CIDR or the CIDR itself? Are you searching in the pipeline as things are processed or are you doing a general search against stored data in Elasticsearch?
Wherever you are, you could use regex, if you are in a pipeline, you can also use cidr_match() Sorry to be generic, not much to go on…
by default graylog doesn’t distinguish IP addresses as a separate type, it treats it like a text, basically Graylog writes to underlaying database (elasticsearch or opensearch) only three types of data, text, numbers and timestamps (AFAIK), i asked about it before, devs told me they don’t plan to support other types, but it was a few years ago
anyway you can work it around by setting a custom index mapping as elasticsearch supports IP addresses as separate type (amongst others that graylog doesn’t support), then you could query data by CIDR, additionally you can just use text wildcards, like ip_addr:192.168.0.*, it’s obviously less accurate, but frankly i doubt someone has something like “192.168.0.poop” thereNOPE apparently it breaks graylog widgets though, so your data are still stored but you can’t view anything:
