July 17, 2018, 9:00pm
Apologies if this has been addressed in a previous post, but I’ve done a fair bit of research and can’t seem to get a conclusive answer to this question.
I’m attempting to filter out specific IP addresses from a search query. I’m attempting to filter them by doing something similar to this:
!srcIP:10.15.20.[105 TO 108]
The IPs I’m attempting to filter out still show up in the search results, however. Likewise, when I try things like these examples:
It either continues to include the target ips in the search results, or complains that it cannot parse the query. Am I doing something obviously wrong that I’m just not seeing? Or is this functionality not part of the search function?
July 18, 2018, 6:40am
You can use a subset of the Perl regular expression syntax in Graylog.
The general query format is:
https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-regexp-query.html#regexp-syntax for details.
Also make sure to read the documentation about the Graylog/Lucene query syntax at
If you want to invert a search, you have to prepend “NOT”, for example:
July 18, 2018, 12:46pm
In addition to what
@jochen wrote you might want to check if you can extract the IP into a single field and forcing this field to be saved as
ip with a custom elasticsearch mapping.
While this is a bit more advanced, it would enable you to make other kind of searches on that.
July 18, 2018, 1:52pm
Thank you very much. That last example was quite clear and I was able to figure out what I needed to change to make this regex work. Cheers!
August 1, 2018, 1:52pm
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.