Using @jrodewig's example from his docs PR a query of the form where cidrMatch(source.address, \"192.168.0.0/16\") == true fails to match because the Painless script for equality is doing a simple comparison between 192.168.0.0/16 and the actual value in that field - 192.168.152.12 - and will obviously not match and the query will not return a result. For reference, the full script used in this query is
"script": {
"source": "InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.eq(InternalQlScriptUtils.docValue(doc,params.v0),params.v1),params.v2))",
"lang": "painless",
"params": {
"v0": "source.address",
"v1": "192.168.0.0/16",
"v2": true
}
}
On the other hand, when the cidrMatch function is being used standalone (and the Painless script is not needed) eql ES falls back to a term query of the form
{
"term": {
"source.address": {
"value": "192.168.0.0/16",
"boost": 1
}
}
}
that does the right thing and knows about the cidr notation and matches the query.
I think we need a cidrMatch method to be used in scripts that will do whatever term query does with an IP field.
Using @jrodewig's example from his docs PR a query of the form
where cidrMatch(source.address, \"192.168.0.0/16\") == truefails to match because the Painless script for equality is doing a simple comparison between192.168.0.0/16and the actual value in that field -192.168.152.12- and will obviously not match and the query will not return a result. For reference, the full script used in this query isOn the other hand, when the
cidrMatchfunction is being used standalone (and the Painless script is not needed) eql ES falls back to atermquery of the formthat does the right thing and knows about the cidr notation and matches the query.
I think we need a cidrMatch method to be used in scripts that will do whatever
termquery does with an IP field.