How to add cidr in the search example : search logs based of 192.168.1.0/24

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
How to search based of cidr 192.168.1.0/24 for example

2. Describe your environment:

  • OS Information:

  • Package Version:

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Not much to go on with your question.

Could you read through these tips (here and/or here) on asking questions and use them to help you fill in more information about what you have, what you have tried, etc.

Do you have example messages? Are the fields already broken out? Are you looking for anything in the range of the CIDR or the CIDR itself? Are you searching in the pipeline as things are processed or are you doing a general search against stored data in Elasticsearch?

Wherever you are, you could use regex, if you are in a pipeline, you can also use cidr_match() Sorry to be generic, not much to go on… :thinking:

2 Likes

by default graylog doesn’t distinguish IP addresses as a separate type, it treats it like a text, basically Graylog writes to underlaying database (elasticsearch or opensearch) only three types of data, text, numbers and timestamps (AFAIK), i asked about it before, devs told me they don’t plan to support other types, but it was a few years ago

anyway you can work it around by setting a custom index mapping as elasticsearch supports IP addresses as separate type (amongst others that graylog doesn’t support), then you could query data by CIDR, additionally you can just use text wildcards, like ip_addr:192.168.0.*, it’s obviously less accurate, but frankly i doubt someone has something like “192.168.0.poop” thereNOPE apparently it breaks graylog widgets though, so your data are still stored but you can’t view anything:

it worked for me in graylog 3.* times, also it looks like it worked for someone in 2020 here

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.