IP field type

An ip field can index/store either IPv4 or IPv6 addresses.

  1. PUT my-index-000001
  2. {
  3.   "mappings": {
  4.     "properties": {
  5.       "ip_addr": {
  6.         "type": "ip"
  7.       }
  8.     }
  9.   }
  10. }
  12. PUT my-index-000001/_doc/1
  13. {
  14.   "ip_addr": "192.168.1.1"
  15. }
  17. GET my-index-000001/_search
  18. {
  19.   "query": {
  20.     "term": {
  21.       "ip_addr": "192.168.0.0/16"
  22.     }
  23.   }
  24. }

You can also store ip ranges in a single field using an ip_range data type.

Parameters for ip fields

The following parameters are accepted by ip fields:

boost

Mapping field-level query time boosting. Accepts a floating point number, defaults to 1.0.

doc_values

Should the field be stored on disk in a column-stride fashion, so that it can later be used for sorting, aggregations, or scripting? Accepts true (default) or false.

index

Should the field be searchable? Accepts true (default) and false.

null_value

Accepts an IPv4 value which is substituted for any explicit null values. Defaults to null, which means the field is treated as missing.

store

Whether the field value should be stored and retrievable separately from the _source field. Accepts true or false (default).

Querying ip fields

The most common way to query ip addresses is to use the CIDR notation: [ip_address]/[prefix_length]. For instance:

  1. GET my-index-000001/_search
  2. {
  3.   "query": {
  4.     "term": {
  5.       "ip_addr": "192.168.0.0/16"
  6.     }
  7.   }
  8. }

or

  1. GET my-index-000001/_search
  2. {
  3.   "query": {
  4.     "term": {
  5.       "ip_addr": "2001:db8::/48"
  6.     }
  7.   }
  8. }

Also beware that colons are special characters to the query_string query, so ipv6 addresses will need to be escaped. The easiest way to do so is to put quotes around the searched value:

  1. GET my-index-000001/_search
  2. {
  3.   "query": {
  4.     "query_string" : {
  5.       "query": "ip_addr:\"2001:db8::/48\""
  6.     }
  7.   }
  8. }