Terms aggregation on first three octets of IP

Question

I'm doing a faceted search UI, and one of the facets I want to add is for the first three octets of an IP field.

So for example, given documents with IPs "192.168.1.1", "192.168.1.2", "192.168.2.1", I would want to display the facets "192.168.1 (2)" and "192.168.2 (1)".

Is there an aggregation I can use for this? As far as I can tell, range aggregations require me to predefine the ranges, and term aggregations only take a field.

Obviously the alternative is for me to index the first three octets as a separate field, but of course I would prefer to avoid that.

Thanks!

score 1 · Accepted Answer · edited May 23 '17 at 12:26

You can add a path hierarchy tokenizer with delimeter of '.' and a custom analyzer with the tokenizer set to the tokenizer you just made.

See this question for the syntax:

Elasticsearch - using the path hierarchy tokenizer to access different level of categories

Then you can aggregate terms and you will get results grouped by each number group

{
    "key": "192",
    "doc_count": 10
},
{
    "key": "192.168",
    "doc_count": 10
},
...

In the linked answer there is a way to exclude certain aggregations levels. The following should exclude all results except ones that have 3 levels of numbers.

"aggs": {
    "ipaddr": {
        "terms": {
            "field": "your_ip_addr",
            "exclude": ".*",
            "include": ".*\\..*\\..*"
     }
}

https://www.elastic.co/guide/en/elasticsearch/reference/current/analysis-pathhierarchy-tokenizer.html

Terms aggregation on first three octets of IP

1 Answers1