Cannot search ip addresses from only some string data fields

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.8/ Wazuh 4.7.4/ Ubuntu 22.04/ edge or chrome or mozilla

Describe the issue:
Currently cannot be shown a log result when entering an ip address (x.x.x.x) in discover for some string data fields. The ip address resides in a string data type and not all string data types with ip addresses are impacted. I raised this issue with Wazuh although they directed this query to yourselves.
I have an example of another field that uses a string data type that can be searched against without adding the field prior to the data. (ip address).
Example is using ip address 192.168.70.10
If this is entered as is as a query there is no search response for the fields it doesn’t work against.
Other string data type fields work fine.
If I place the field_name:192.168.70.10 then it works fine for the impacted fields.

SQL type is keyword for both. The only difference is that the field name which has spaces between each data entry in the raw syslog log works while the fields that doesn’t has commas.

Configuration:

Since Wazuh is being used, they have precreated the indicies, fields and data types.

You can try to search the ip address with double quotes: “192.168.70.10”, that will transform the query to a match_phrase_query which gives exact matching result.

Hi gaobinlong,

I have tried adding quotes although this has the same issue as without.

Could you show the index mappings?

Hi,

The following is a field that correctly shows a response without prepending the field.

GET /mapping

data.srcip

            "srcip": {
              "type": "keyword"
             },

The following doesn’t

data.source_address

        "source_address": {
          "type": "keyword"
         },

@markcave I’ve tested 2.8 and I was able to search IP address in both fields using OpenSearch Dashboards discovery.

PUT /_index_template/standardtemplate
{
   "index_patterns":[
      "ipaddress*"
   ],
   "priority": 100,
   "template": {
     "settings":{
        "index":{
           "mapping":{
              "total_fields":{
                 "limit":"2000"
              }
           }
        }
     },
     "mappings":{
        "dynamic": false,
        "properties": {
        "data": {
          "properties": {
            "source_address": {
              "type": "keyword"
            },
            "srcip": {
              "type": "keyword"
            }
          }
        }
        }
     }
  }
}

image1357×462 75.1 KB

image1267×448 63.1 KB

Hi Pablo,

Appreciate the response.
Can you try using a raw syslog entry that uses commas between the fields, not white spaces and then try again.

Example

Jul 17 02:43:31 pa55 1,2024/07/17 02:43:31,11111111,TRAFFIC,end,2561,2024/07/17 02:43:27,192.168.1.1,192.168.1.2,

@markcave Try this in Discovery DQL

*192.168.1.1*

Hi pablo,

That works.
It doesn’t completely highlight the field in the results although it does detect it.

Appreciate the support.

Thanks