Movatterモバイル変換

[0]ホーム
URL:

Loading
  1. Elastic Docs/
  2. Reference/
  3. Elasticsearch/
  4. Mapping/
  5. Field data types

IP field type

Anip field can index/store eitherIPv4 orIPv6 addresses.

PUT my-index-000001{  "mappings": {    "properties": {      "ip_addr": {        "type": "ip"      }    }  }}PUT my-index-000001/_doc/1{  "ip_addr": "192.168.1.1"}GET my-index-000001/_search{  "query": {    "term": {      "ip_addr": "192.168.0.0/16"    }  }}
Note

You can also store ip ranges in a single field using anip_range data type.

The following parameters are accepted byip fields:

doc_values
Should the field be stored on disk in a column-stride fashion, so that it can later be used for sorting, aggregations, or scripting? Acceptstrue (default) orfalse.
ignore_malformed
Iftrue, malformed IP addresses are ignored. Iffalse (default), malformed IP addresses throw an exception and reject the whole document. Note that this cannot be set if thescript parameter is used.
index
Should the field be quickly searchable? Acceptstrue (default) andfalse. Fields that only havedoc_values enabled can still be queried using term or range-based queries, albeit slower.
null_value
Accepts an IPv4 or IPv6 value which is substituted for any explicitnull values. Defaults tonull, which means the field is treated as missing. Note that this cannot be set if thescript parameter is used.
on_script_error
Defines what to do if the script defined by thescript parameter throws an error at indexing time. Acceptsreject (default), which will cause the entire document to be rejected, andignore, which will register the field in the document’s_ignored metadata field and continue indexing. This parameter can only be set if thescript field is also set.
script
If this parameter is set, then the field will index values generated by this script, rather than reading the values directly from the source. If a value is set for this field on the input document, then the document will be rejected with an error. Scripts are in the same format as theirruntime equivalent, and should emit strings containing IPv4 or IPv6 formatted addresses.
store
Whether the field value should be stored and retrievable separately from the_source field. Acceptstrue orfalse (default).
time_series_dimension

(Optional, Boolean)

Marks the field as atime series dimension. Defaults tofalse.

Theindex.mapping.dimension_fields.limitindex setting limits the number of dimensions in an index.

Dimension fields have the following constraints:

  • Thedoc_values andindex mapping parameters must betrue.

The most common way to query ip addresses is to use theCIDR notation:[ip_address]/[prefix_length]. For instance:

GET my-index-000001/_search{  "query": {    "term": {      "ip_addr": "192.168.0.0/16"    }  }}

or

GET my-index-000001/_search{  "query": {    "term": {      "ip_addr": "2001:db8::/48"    }  }}

Also beware that colons are special characters to thequery_string query, so ipv6 addresses will need to be escaped. The easiest way to do so is to put quotes around the searched value:

GET my-index-000001/_search{  "query": {    "query_string" : {      "query": "ip_addr:\"2001:db8::/48\""    }  }}

Synthetic source may sortip field values and remove duplicates. For example:

PUT idx{  "settings": {    "index": {      "mapping": {        "source": {          "mode": "synthetic"        }      }    }  },  "mappings": {    "properties": {      "ip": { "type": "ip" }    }  }}PUT idx/_doc/1{  "ip": ["192.168.0.1", "192.168.0.1", "10.10.12.123",         "2001:db8::1:0:0:1", "::afff:4567:890a"]}

Will become:

{  "ip": ["::afff:4567:890a", "10.10.12.123", "192.168.0.1", "2001:db8::1:0:0:1"]}
Note

IPv4 addresses are sorted as though they were IPv6 addresses prefixed by::ffff:0:0:0/96 as specified byrfc6144.

[8]ページ先頭
©2009-2026 Movatter.jp