We are using Graylog mainly for network equipment, so we naturally want to search for CIDR ranges. I’m aware of the wildcard usage, but that doesn’t scale well with subnets below /24.
Added custom mapping for ip types, but how to search for that?
Graylog 4.2
MongoDB 4.2
Elasticsearch 7.10.2
{
"template": "90d_*",
"mappings": {
"properties": {
"test_client_ip": {
"type": "ip"
},
"test_target_ip": {
"type": "ip"
}
}
}
},
The correct syntax, as of writting, is: test_client_ip:(172.21.224.0\/19) (Escaping of subnet mask part is the key here.
Please note, that you need to use following when using the API
{
"query_string": {
"type": "elasticsearch",
"query_string": "test_client_ip:172.21.192.0\\/19"
},
"timerange": {
"type": "relative",
"range": 86400
},
"chunk_size": "100",
"streams": [
"5f218679a45add539817c246"
],
"limit": "500",
"fields_in_order": [
"field1",
"field2"
]
}
The custom mapping is enabled as soon as the active index is rotated!
Just for the reference, if you need to setup multiple custom mappings, you have to create different mappings, they are not additional, see
Hi @tmacgbay , thank you for reply and your advice. Yes you’ve understood right, I want to create custom template for two indexes gc-prod-* and dfa_*. I’ve tried the method you advised earlier and it didn’t work.
If I check what I’ve applied it shows:
curl -X GET ‘http://localhost:9200/_template/graylog-custom-mapping?pretty ’
{
"graylog-custom-mapping" : {
"order" : 0,
"index_patterns" : [
"gc-prod-*"
],
"settings" : {
"index" : {
"mapping" : {
…
3 Likes
Thanks @riskersen for providing your solution back to the community!
1 Like
You are welcome. I noticed a small formatting bug, which I’ve updated + I’ve added a sample when using the search API
2 Likes
system
December 3, 2021, 8:04am
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
