The correct syntax, as of writting, is: test_client_ip:(172.21.224.0\/19) (Escaping of subnet mask part is the key here.
Please note, that you need to use following when using the API
{
"query_string": {
"type": "elasticsearch",
"query_string": "test_client_ip:172.21.192.0\\/19"
},
"timerange": {
"type": "relative",
"range": 86400
},
"chunk_size": "100",
"streams": [
"5f218679a45add539817c246"
],
"limit": "500",
"fields_in_order": [
"field1",
"field2"
]
}
The custom mapping is enabled as soon as the active index is rotated!
Just for the reference, if you need to setup multiple custom mappings, you have to create different mappings, they are not additional, see