IP prefix aggregation

IP prefix aggregation

A bucket aggregation that groups documents based on the network or sub-network of an IP address. An IP address consists of two groups of bits: the most significant bits which represent the network prefix, and the least significant bits which represent the host.

Example

For example, consider the following index:

  1. resp = client.indices.create(
  2. index="network-traffic",
  3. mappings={
  4. "properties": {
  5. "ipv4": {
  6. "type": "ip"
  7. },
  8. "ipv6": {
  9. "type": "ip"
  10. }
  11. }
  12. },
  13. )
  14. print(resp)
  15. resp1 = client.bulk(
  16. index="network-traffic",
  17. refresh=True,
  18. operations=[
  19. {
  20. "index": {
  21. "_id": 0
  22. }
  23. },
  24. {
  25. "ipv4": "192.168.1.10",
  26. "ipv6": "2001:db8:a4f8:112a:6001:0:12:7f10"
  27. },
  28. {
  29. "index": {
  30. "_id": 1
  31. }
  32. },
  33. {
  34. "ipv4": "192.168.1.12",
  35. "ipv6": "2001:db8:a4f8:112a:6001:0:12:7f12"
  36. },
  37. {
  38. "index": {
  39. "_id": 2
  40. }
  41. },
  42. {
  43. "ipv4": "192.168.1.33",
  44. "ipv6": "2001:db8:a4f8:112a:6001:0:12:7f33"
  45. },
  46. {
  47. "index": {
  48. "_id": 3
  49. }
  50. },
  51. {
  52. "ipv4": "192.168.1.10",
  53. "ipv6": "2001:db8:a4f8:112a:6001:0:12:7f10"
  54. },
  55. {
  56. "index": {
  57. "_id": 4
  58. }
  59. },
  60. {
  61. "ipv4": "192.168.2.41",
  62. "ipv6": "2001:db8:a4f8:112c:6001:0:12:7f41"
  63. },
  64. {
  65. "index": {
  66. "_id": 5
  67. }
  68. },
  69. {
  70. "ipv4": "192.168.2.10",
  71. "ipv6": "2001:db8:a4f8:112c:6001:0:12:7f10"
  72. },
  73. {
  74. "index": {
  75. "_id": 6
  76. }
  77. },
  78. {
  79. "ipv4": "192.168.2.23",
  80. "ipv6": "2001:db8:a4f8:112c:6001:0:12:7f23"
  81. },
  82. {
  83. "index": {
  84. "_id": 7
  85. }
  86. },
  87. {
  88. "ipv4": "192.168.3.201",
  89. "ipv6": "2001:db8:a4f8:114f:6001:0:12:7201"
  90. },
  91. {
  92. "index": {
  93. "_id": 8
  94. }
  95. },
  96. {
  97. "ipv4": "192.168.3.107",
  98. "ipv6": "2001:db8:a4f8:114f:6001:0:12:7307"
  99. }
  100. ],
  101. )
  102. print(resp1)
  1. response = client.indices.create(
  2. index: 'network-traffic',
  3. body: {
  4. mappings: {
  5. properties: {
  6. "ipv4": {
  7. type: 'ip'
  8. },
  9. "ipv6": {
  10. type: 'ip'
  11. }
  12. }
  13. }
  14. }
  15. )
  16. puts response
  17. response = client.bulk(
  18. index: 'network-traffic',
  19. refresh: true,
  20. body: [
  21. {
  22. index: {
  23. _id: 0
  24. }
  25. },
  26. {
  27. "ipv4": '192.168.1.10',
  28. "ipv6": '2001:db8:a4f8:112a:6001:0:12:7f10'
  29. },
  30. {
  31. index: {
  32. _id: 1
  33. }
  34. },
  35. {
  36. "ipv4": '192.168.1.12',
  37. "ipv6": '2001:db8:a4f8:112a:6001:0:12:7f12'
  38. },
  39. {
  40. index: {
  41. _id: 2
  42. }
  43. },
  44. {
  45. "ipv4": '192.168.1.33',
  46. "ipv6": '2001:db8:a4f8:112a:6001:0:12:7f33'
  47. },
  48. {
  49. index: {
  50. _id: 3
  51. }
  52. },
  53. {
  54. "ipv4": '192.168.1.10',
  55. "ipv6": '2001:db8:a4f8:112a:6001:0:12:7f10'
  56. },
  57. {
  58. index: {
  59. _id: 4
  60. }
  61. },
  62. {
  63. "ipv4": '192.168.2.41',
  64. "ipv6": '2001:db8:a4f8:112c:6001:0:12:7f41'
  65. },
  66. {
  67. index: {
  68. _id: 5
  69. }
  70. },
  71. {
  72. "ipv4": '192.168.2.10',
  73. "ipv6": '2001:db8:a4f8:112c:6001:0:12:7f10'
  74. },
  75. {
  76. index: {
  77. _id: 6
  78. }
  79. },
  80. {
  81. "ipv4": '192.168.2.23',
  82. "ipv6": '2001:db8:a4f8:112c:6001:0:12:7f23'
  83. },
  84. {
  85. index: {
  86. _id: 7
  87. }
  88. },
  89. {
  90. "ipv4": '192.168.3.201',
  91. "ipv6": '2001:db8:a4f8:114f:6001:0:12:7201'
  92. },
  93. {
  94. index: {
  95. _id: 8
  96. }
  97. },
  98. {
  99. "ipv4": '192.168.3.107',
  100. "ipv6": '2001:db8:a4f8:114f:6001:0:12:7307'
  101. }
  102. ]
  103. )
  104. puts response
  1. const response = await client.indices.create({
  2. index: "network-traffic",
  3. mappings: {
  4. properties: {
  5. ipv4: {
  6. type: "ip",
  7. },
  8. ipv6: {
  9. type: "ip",
  10. },
  11. },
  12. },
  13. });
  14. console.log(response);
  15. const response1 = await client.bulk({
  16. index: "network-traffic",
  17. refresh: "true",
  18. operations: [
  19. {
  20. index: {
  21. _id: 0,
  22. },
  23. },
  24. {
  25. ipv4: "192.168.1.10",
  26. ipv6: "2001:db8:a4f8:112a:6001:0:12:7f10",
  27. },
  28. {
  29. index: {
  30. _id: 1,
  31. },
  32. },
  33. {
  34. ipv4: "192.168.1.12",
  35. ipv6: "2001:db8:a4f8:112a:6001:0:12:7f12",
  36. },
  37. {
  38. index: {
  39. _id: 2,
  40. },
  41. },
  42. {
  43. ipv4: "192.168.1.33",
  44. ipv6: "2001:db8:a4f8:112a:6001:0:12:7f33",
  45. },
  46. {
  47. index: {
  48. _id: 3,
  49. },
  50. },
  51. {
  52. ipv4: "192.168.1.10",
  53. ipv6: "2001:db8:a4f8:112a:6001:0:12:7f10",
  54. },
  55. {
  56. index: {
  57. _id: 4,
  58. },
  59. },
  60. {
  61. ipv4: "192.168.2.41",
  62. ipv6: "2001:db8:a4f8:112c:6001:0:12:7f41",
  63. },
  64. {
  65. index: {
  66. _id: 5,
  67. },
  68. },
  69. {
  70. ipv4: "192.168.2.10",
  71. ipv6: "2001:db8:a4f8:112c:6001:0:12:7f10",
  72. },
  73. {
  74. index: {
  75. _id: 6,
  76. },
  77. },
  78. {
  79. ipv4: "192.168.2.23",
  80. ipv6: "2001:db8:a4f8:112c:6001:0:12:7f23",
  81. },
  82. {
  83. index: {
  84. _id: 7,
  85. },
  86. },
  87. {
  88. ipv4: "192.168.3.201",
  89. ipv6: "2001:db8:a4f8:114f:6001:0:12:7201",
  90. },
  91. {
  92. index: {
  93. _id: 8,
  94. },
  95. },
  96. {
  97. ipv4: "192.168.3.107",
  98. ipv6: "2001:db8:a4f8:114f:6001:0:12:7307",
  99. },
  100. ],
  101. });
  102. console.log(response1);
  1. PUT network-traffic
  2. {
  3. "mappings": {
  4. "properties": {
  5. "ipv4": { "type": "ip" },
  6. "ipv6": { "type": "ip" }
  7. }
  8. }
  9. }
  10. POST /network-traffic/_bulk?refresh
  11. {"index":{"_id":0}}
  12. {"ipv4":"192.168.1.10","ipv6":"2001:db8:a4f8:112a:6001:0:12:7f10"}
  13. {"index":{"_id":1}}
  14. {"ipv4":"192.168.1.12","ipv6":"2001:db8:a4f8:112a:6001:0:12:7f12"}
  15. {"index":{"_id":2}}
  16. { "ipv4":"192.168.1.33","ipv6":"2001:db8:a4f8:112a:6001:0:12:7f33"}
  17. {"index":{"_id":3}}
  18. {"ipv4":"192.168.1.10","ipv6":"2001:db8:a4f8:112a:6001:0:12:7f10"}
  19. {"index":{"_id":4}}
  20. {"ipv4":"192.168.2.41","ipv6":"2001:db8:a4f8:112c:6001:0:12:7f41"}
  21. {"index":{"_id":5}}
  22. {"ipv4":"192.168.2.10","ipv6":"2001:db8:a4f8:112c:6001:0:12:7f10"}
  23. {"index":{"_id":6}}
  24. {"ipv4":"192.168.2.23","ipv6":"2001:db8:a4f8:112c:6001:0:12:7f23"}
  25. {"index":{"_id":7}}
  26. {"ipv4":"192.168.3.201","ipv6":"2001:db8:a4f8:114f:6001:0:12:7201"}
  27. {"index":{"_id":8}}
  28. {"ipv4":"192.168.3.107","ipv6":"2001:db8:a4f8:114f:6001:0:12:7307"}

The following aggregation groups documents into buckets. Each bucket identifies a different sub-network. The sub-network is calculated by applying a netmask with prefix length of 24 to each IP address in the ipv4 field:

  1. resp = client.search(
  2. index="network-traffic",
  3. size=0,
  4. aggs={
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24
  9. }
  10. }
  11. },
  12. )
  13. print(resp)
  1. response = client.search(
  2. index: 'network-traffic',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. "ipv4-subnets": {
  7. ip_prefix: {
  8. field: 'ipv4',
  9. prefix_length: 24
  10. }
  11. }
  12. }
  13. }
  14. )
  15. puts response
  1. const response = await client.search({
  2. index: "network-traffic",
  3. size: 0,
  4. aggs: {
  5. "ipv4-subnets": {
  6. ip_prefix: {
  7. field: "ipv4",
  8. prefix_length: 24,
  9. },
  10. },
  11. },
  12. });
  13. console.log(response);
  1. GET /network-traffic/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24
  9. }
  10. }
  11. }
  12. }

Response:

  1. {
  2. ...
  3. "aggregations": {
  4. "ipv4-subnets": {
  5. "buckets": [
  6. {
  7. "key": "192.168.1.0",
  8. "is_ipv6": false,
  9. "doc_count": 4,
  10. "prefix_length": 24,
  11. "netmask": "255.255.255.0"
  12. },
  13. {
  14. "key": "192.168.2.0",
  15. "is_ipv6": false,
  16. "doc_count": 3,
  17. "prefix_length": 24,
  18. "netmask": "255.255.255.0"
  19. },
  20. {
  21. "key": "192.168.3.0",
  22. "is_ipv6": false,
  23. "doc_count": 2,
  24. "prefix_length": 24,
  25. "netmask": "255.255.255.0"
  26. }
  27. ]
  28. }
  29. }
  30. }

To aggregate IPv6 addresses, set is_ipv6 to true.

  1. resp = client.search(
  2. index="network-traffic",
  3. size=0,
  4. aggs={
  5. "ipv6-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv6",
  8. "prefix_length": 64,
  9. "is_ipv6": True
  10. }
  11. }
  12. },
  13. )
  14. print(resp)
  1. response = client.search(
  2. index: 'network-traffic',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. "ipv6-subnets": {
  7. ip_prefix: {
  8. field: 'ipv6',
  9. prefix_length: 64,
  10. "is_ipv6": true
  11. }
  12. }
  13. }
  14. }
  15. )
  16. puts response
  1. const response = await client.search({
  2. index: "network-traffic",
  3. size: 0,
  4. aggs: {
  5. "ipv6-subnets": {
  6. ip_prefix: {
  7. field: "ipv6",
  8. prefix_length: 64,
  9. is_ipv6: true,
  10. },
  11. },
  12. },
  13. });
  14. console.log(response);
  1. GET /network-traffic/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "ipv6-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv6",
  8. "prefix_length": 64,
  9. "is_ipv6": true
  10. }
  11. }
  12. }
  13. }

If is_ipv6 is true, the response doesn’t include a netmask for each bucket.

  1. {
  2. ...
  3. "aggregations": {
  4. "ipv6-subnets": {
  5. "buckets": [
  6. {
  7. "key": "2001:db8:a4f8:112a::",
  8. "is_ipv6": true,
  9. "doc_count": 4,
  10. "prefix_length": 64
  11. },
  12. {
  13. "key": "2001:db8:a4f8:112c::",
  14. "is_ipv6": true,
  15. "doc_count": 3,
  16. "prefix_length": 64
  17. },
  18. {
  19. "key": "2001:db8:a4f8:114f::",
  20. "is_ipv6": true,
  21. "doc_count": 2,
  22. "prefix_length": 64
  23. }
  24. ]
  25. }
  26. }
  27. }

Parameters

field

(Required, string) The document IP address field to aggregate on. The field mapping type must be ip.

prefix_length

(Required, integer) Length of the network prefix. For IPv4 addresses, the accepted range is [0, 32]. For IPv6 addresses, the accepted range is [0, 128].

is_ipv6

(Optional, boolean) Defines whether the prefix applies to IPv6 addresses. Just specifying the prefix_length parameter is not enough to know if an IP prefix applies to IPv4 or IPv6 addresses. Defaults to false.

append_prefix_length

(Optional, boolean) Defines whether the prefix length is appended to IP address keys in the response. Defaults to false.

keyed

(Optional, boolean) Defines whether buckets are returned as a hash rather than an array in the response. Defaults to false.

min_doc_count

(Optional, integer) Defines the minimum number of documents for buckets to be included in the response. Defaults to 1.

Response body

key

(string) The IPv6 or IPv4 subnet.

prefix_length

(integer) The length of the prefix used to aggregate the bucket.

doc_count

(integer) Number of documents matching a specific IP prefix.

is_ipv6

(boolean) Defines whether the netmask is an IPv6 netmask.

netmask

(string) The IPv4 netmask. If is_ipv6 is true in the request, this field is missing in the response.

Keyed Response

Set the keyed flag of true to associate an unique IP address key with each bucket and return sub-networks as a hash rather than an array.

Example:

  1. resp = client.search(
  2. index="network-traffic",
  3. size=0,
  4. aggs={
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24,
  9. "keyed": True
  10. }
  11. }
  12. },
  13. )
  14. print(resp)
  1. response = client.search(
  2. index: 'network-traffic',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. "ipv4-subnets": {
  7. ip_prefix: {
  8. field: 'ipv4',
  9. prefix_length: 24,
  10. keyed: true
  11. }
  12. }
  13. }
  14. }
  15. )
  16. puts response
  1. const response = await client.search({
  2. index: "network-traffic",
  3. size: 0,
  4. aggs: {
  5. "ipv4-subnets": {
  6. ip_prefix: {
  7. field: "ipv4",
  8. prefix_length: 24,
  9. keyed: true,
  10. },
  11. },
  12. },
  13. });
  14. console.log(response);
  1. GET /network-traffic/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24,
  9. "keyed": true
  10. }
  11. }
  12. }
  13. }

Response:

  1. {
  2. ...
  3. "aggregations": {
  4. "ipv4-subnets": {
  5. "buckets": {
  6. "192.168.1.0": {
  7. "is_ipv6": false,
  8. "doc_count": 4,
  9. "prefix_length": 24,
  10. "netmask": "255.255.255.0"
  11. },
  12. "192.168.2.0": {
  13. "is_ipv6": false,
  14. "doc_count": 3,
  15. "prefix_length": 24,
  16. "netmask": "255.255.255.0"
  17. },
  18. "192.168.3.0": {
  19. "is_ipv6": false,
  20. "doc_count": 2,
  21. "prefix_length": 24,
  22. "netmask": "255.255.255.0"
  23. }
  24. }
  25. }
  26. }
  27. }

Append the prefix length to the IP address key

Set the append_prefix_length flag to true to catenate IP address keys with the prefix length of the sub-network.

Example:

  1. resp = client.search(
  2. index="network-traffic",
  3. size=0,
  4. aggs={
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24,
  9. "append_prefix_length": True
  10. }
  11. }
  12. },
  13. )
  14. print(resp)
  1. response = client.search(
  2. index: 'network-traffic',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. "ipv4-subnets": {
  7. ip_prefix: {
  8. field: 'ipv4',
  9. prefix_length: 24,
  10. append_prefix_length: true
  11. }
  12. }
  13. }
  14. }
  15. )
  16. puts response
  1. const response = await client.search({
  2. index: "network-traffic",
  3. size: 0,
  4. aggs: {
  5. "ipv4-subnets": {
  6. ip_prefix: {
  7. field: "ipv4",
  8. prefix_length: 24,
  9. append_prefix_length: true,
  10. },
  11. },
  12. },
  13. });
  14. console.log(response);
  1. GET /network-traffic/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24,
  9. "append_prefix_length": true
  10. }
  11. }
  12. }
  13. }

Response:

  1. {
  2. ...
  3. "aggregations": {
  4. "ipv4-subnets": {
  5. "buckets": [
  6. {
  7. "key": "192.168.1.0/24",
  8. "is_ipv6": false,
  9. "doc_count": 4,
  10. "prefix_length": 24,
  11. "netmask": "255.255.255.0"
  12. },
  13. {
  14. "key": "192.168.2.0/24",
  15. "is_ipv6": false,
  16. "doc_count": 3,
  17. "prefix_length": 24,
  18. "netmask": "255.255.255.0"
  19. },
  20. {
  21. "key": "192.168.3.0/24",
  22. "is_ipv6": false,
  23. "doc_count": 2,
  24. "prefix_length": 24,
  25. "netmask": "255.255.255.0"
  26. }
  27. ]
  28. }
  29. }
  30. }

Minimum document count

Use the min_doc_count parameter to only return buckets with a minimum number of documents.

  1. resp = client.search(
  2. index="network-traffic",
  3. size=0,
  4. aggs={
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24,
  9. "min_doc_count": 3
  10. }
  11. }
  12. },
  13. )
  14. print(resp)
  1. response = client.search(
  2. index: 'network-traffic',
  3. body: {
  4. size: 0,
  5. aggregations: {
  6. "ipv4-subnets": {
  7. ip_prefix: {
  8. field: 'ipv4',
  9. prefix_length: 24,
  10. min_doc_count: 3
  11. }
  12. }
  13. }
  14. }
  15. )
  16. puts response
  1. const response = await client.search({
  2. index: "network-traffic",
  3. size: 0,
  4. aggs: {
  5. "ipv4-subnets": {
  6. ip_prefix: {
  7. field: "ipv4",
  8. prefix_length: 24,
  9. min_doc_count: 3,
  10. },
  11. },
  12. },
  13. });
  14. console.log(response);
  1. GET /network-traffic/_search
  2. {
  3. "size": 0,
  4. "aggs": {
  5. "ipv4-subnets": {
  6. "ip_prefix": {
  7. "field": "ipv4",
  8. "prefix_length": 24,
  9. "min_doc_count": 3
  10. }
  11. }
  12. }
  13. }

Response:

  1. {
  2. ...
  3. "aggregations": {
  4. "ipv4-subnets": {
  5. "buckets": [
  6. {
  7. "key": "192.168.1.0",
  8. "is_ipv6": false,
  9. "doc_count": 4,
  10. "prefix_length": 24,
  11. "netmask": "255.255.255.0"
  12. },
  13. {
  14. "key": "192.168.2.0",
  15. "is_ipv6": false,
  16. "doc_count": 3,
  17. "prefix_length": 24,
  18. "netmask": "255.255.255.0"
  19. }
  20. ]
  21. }
  22. }
  23. }