WARNING: Version 6.2 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
IP datatype
editIP datatype
editAn ip
field can index/store either IPv4 or
IPv6 addresses.
PUT my_index { "mappings": { "_doc": { "properties": { "ip_addr": { "type": "ip" } } } } } PUT my_index/_doc/1 { "ip_addr": "192.168.1.1" } GET my_index/_search { "query": { "term": { "ip_addr": "192.168.0.0/16" } } }
You can also store ip ranges in a single field using an ip_range datatype.
Parameters for ip
fields
editThe following parameters are accepted by ip
fields:
Mapping field-level query time boosting. Accepts a floating point number, defaults
to |
|
Should the field be stored on disk in a column-stride fashion, so that it
can later be used for sorting, aggregations, or scripting? Accepts |
|
Should the field be searchable? Accepts |
|
Accepts an IPv4 value which is substituted for any explicit |
|
Whether the field value should be stored and retrievable separately from
the |
Querying ip
fields
editThe most common way to query ip addresses is to use the
CIDR
notation: [ip_address]/[prefix_length]
. For instance:
GET my_index/_search { "query": { "term": { "ip_addr": "192.168.0.0/16" } } }
or
GET my_index/_search { "query": { "term": { "ip_addr": "2001:db8::/48" } } }
Also beware that colons are special characters to the
query_string
query, so ipv6 addresses will
need to be escaped. The easiest way to do so is to put quotes around the
searched value:
GET my_index/_search { "query": { "query_string" : { "query": "ip_addr:\"2001:db8::/48\"" } } }