Hi,
I use the following search:
src_ip:[172.16.0.0 TO 172.31.255.255] OR src_ip:[192.168.0.0 TO 192.168.255.255] OR src_ip:[10.0.0.0 TO 10.255.255.255]
which should only return private IP addresses. However, it appears to return any 172.x.x.x ip address (see screenshot). Why is that? What am I doing wrong here? 
Hello @evert,
If you to only query src_ip:[172.16.0.0 TO 172.31.255.255], do you still see the incorrect 172 range returned?
Hi @Wine_Merchant ,
Yes, then it returns several 172.x.x.x addresses which are outside the 172.16.0.0 TO 172.31.255.255 range.
Is that field actually stored as IP or is it text string, you can click on the field name to tell. By default they are actually stored as text unless you change it.
It’s a string! I guess I better go adjust that pipeline…
It’s not the pipeline that sets it, you have to adjust the field type. the easiest way to do that is to click on the field name on the search page, and then change the field type
Once that is set, you need to rotate the index, any new data AFTER that point will be set as an IP address. You can then use CIDR notation to search for it. for your old data you would need to use regex to search it.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
