You're viewing version 3.4 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.
IP address functions
The following IP address functions are supported in PPL.
CIDRMATCH
Usage: CIDRMATCH(ip, cidr)
Checks whether an IP address is within the specified CIDR range.
Parameters:
ip(Required): The IP address to check, as a string or IP value. Supports both IPv4 and IPv6.cidr(Required): The CIDR range to check against, as a string. Supports both IPv4 and IPv6 blocks.
Return type: BOOLEAN
Example
source=weblogs
| where cidrmatch(host, '1.2.3.0/24')
| fields host, url
The query returns the following results:
| host | url |
|---|---|
| 1.2.3.4 | /history/voyager1/ |
| 1.2.3.5 | /history/voyager2/ |
GEOIP
Usage: GEOIP(dataSourceName, ipAddress[, options])
Retrieves location information for IP addresses using the OpenSearch Geospatial plugin API.
Parameters:
dataSourceName(Required): The name of an established data source on the OpenSearch Geospatial plugin. For configuration details, see the IP2Geo processor documentation.ipAddress(Required): The IP address to look up, as a string or IP value. Supports both IPv4 and IPv6.options(Optional): A comma-separated string of fields to output. The available fields depend on the data source provider’s schema. For example, thegeolite2-citydataset includes fields likecountry_iso_code,country_name,continent_name,region_iso_code,region_name,city_name,time_zone, andlocation.
Return type: OBJECT
Example
source=weblogs
| eval LookupResult = geoip("dataSourceName", "50.68.18.229", "country_iso_code,city_name")
The query returns the following results:
| LookupResult |
|---|
| {‘city_name’: ‘Vancouver’, ‘country_iso_code’: ‘CA’} |