Searching via regular expression. Possible?


(Safecyn) #1

Apologies if this has been addressed in a previous post, but I’ve done a fair bit of research and can’t seem to get a conclusive answer to this question.

I’m attempting to filter out specific IP addresses from a search query. I’m attempting to filter them by doing something similar to this:

!srcIP:10.15.20.[105 TO 108]

The IPs I’m attempting to filter out still show up in the search results, however. Likewise, when I try things like these examples:

!srcIP:10.15.20.[105-108]
!srcIP:/10.15.20.[105-108]/
!srcIP:(10.15.20.[105-108])
!srcIP:10.15.20.[105,106,107,108]

It either continues to include the target ips in the search results, or complains that it cannot parse the query. Am I doing something obviously wrong that I’m just not seeing? Or is this functionality not part of the search function?

Thanks,

–Cyn


(Jochen) #2

You can use a subset of the Perl regular expression syntax in Graylog.

The general query format is:

field_name:/regular expression/

Example:

srcIP:/127\..+\..+\..+/

See https://www.elastic.co/guide/en/elasticsearch/reference/5.6/query-dsl-regexp-query.html#regexp-syntax for details.

Also make sure to read the documentation about the Graylog/Lucene query syntax at http://docs.graylog.org/en/2.4/pages/queries.html#search-query-language.

If you want to invert a search, you have to prepend “NOT”, for example:

NOT client_ip:/54\.200\.53\.8[0-9]/

(Jan Doberstein) #3

In addition to what @jochen wrote you might want to check if you can extract the IP into a single field and forcing this field to be saved as ip with a custom elasticsearch mapping.

While this is a bit more advanced, it would enable you to make other kind of searches on that.


(Safecyn) #4

Thank you very much. That last example was quite clear and I was able to figure out what I needed to change to make this regex work. Cheers!


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.