3

I'm looking at starting to graph inbound connections to our various services (web, mail, dns etc) by IP version, ie IPv4 connections versus IPv6 connections.

Currently the IPs are being stored in a single field. What's the best approach to count/graph the IPs by version? A new field and count them? Is there a query I can run to get only v4 or v6 IPs?

Boden Garman
  • 210
  • 1
  • 6

1 Answers1

0

You could check for the presence of :, or go on the string length.

Most, but not all! -- ::1 and others are shorter -- IPv6 addresses will be > 15 characters. Length may be a quick way if you only need a estimate.

For accuracy I'd parse the string and determine if it's IPv6 or IPv4, and store the output in a separate, boolean, field. Alternatively do proper string parsing using the script facility (i.e. on-the-fly).

{
 "filter": {
   "script": {
     "script": "doc['ip_address'].size() > 15"
    }
  }
}
sandstrom
  • 498
  • 5
  • 11
  • 1
    There are IPv6 addresses with a textual representation shorter than any IPv4 address. `::1` and `2600::` comes to mind. An IPv4 address in quat-dotted notation cannot be that short. An IPv6 address in textual representation can be as short as 2 characters or as long as 45 characters. – kasperd Nov 18 '15 at 00:56
  • 1
    @kasperd thanks, I mentioned it previously, but I've made it more clear! – sandstrom Nov 18 '15 at 09:57
  • Cheers. I think I'll either try and check for ":" or see if I can somehow use either the IPv4 or IPv6 Grok patterns. – Boden Garman Nov 18 '15 at 22:10