Searching via regular expression. Possible?

Apologies if this has been addressed in a previous post, but I’ve done a fair bit of research and can’t seem to get a conclusive answer to this question.

I’m attempting to filter out specific IP addresses from a search query. I’m attempting to filter them by doing something similar to this:

!srcIP:10.15.20.[105 TO 108]

The IPs I’m attempting to filter out still show up in the search results, however. Likewise, when I try things like these examples:


It either continues to include the target ips in the search results, or complains that it cannot parse the query. Am I doing something obviously wrong that I’m just not seeing? Or is this functionality not part of the search function?



You can use a subset of the Perl regular expression syntax in Graylog.

The general query format is:

field_name:/regular expression/



See for details.

Also make sure to read the documentation about the Graylog/Lucene query syntax at

If you want to invert a search, you have to prepend “NOT”, for example:

NOT client_ip:/54\.200\.53\.8[0-9]/

In addition to what @jochen wrote you might want to check if you can extract the IP into a single field and forcing this field to be saved as ip with a custom elasticsearch mapping.

While this is a bit more advanced, it would enable you to make other kind of searches on that.

Thank you very much. That last example was quite clear and I was able to figure out what I needed to change to make this regex work. Cheers!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.