ES type error on IP network report

[biolds]

Using ES 5.5, and 0.8.0 (Rev: 270451f),
when using an "ip" mapping type for dest_ip and src_ip fields, selecting a report for a network fails (using the "Related Reports" dropdown menu in an ip report).
The loading sign shows up and stays indefinitely.
The last POST query shows an exception from ES:

Can only use prefix queries on keyword and text fields - not on [dest_ip] which is of type [ip]

[jasonish]

Ok, 2 issues. First, the error should ripple back to the UI. There are some places where I need to clean this up.

Second, EveBox is designed to work with the default Logstash template which does not map src_ip and dest_ip to the IP type. But this isn't the first I've seen this done. So I'll have to look into detecting if its mapped or not, and alter the query depending on if it is or not.

[regit]

@jasonish do you plan to work on it soon ? If not we're going to have a look.

[jasonish]

@jasonish do you plan to work on it soon ? If not we're going to have a look.

I assume you mean the issue where the IP addresses are mapped to the IP type? Yes, I plan to support that soon. Probably in the next few weeks. I see a need to do more parsing of the template for cases where there are changes from the standard logstash template.

[jasonish]

Anyone want to give this a test:

https://evebox.org/files/development/evebox-latest-amd64.deb

Its not true support for CIDR address or the IP datatype, but it should work now whether or not src_ip/dest_ip are mapping to an IP datatype.

I'm going to look into proper IP datatype/CIDR searches after I do a release right away.

[biolds]

Works great, thanks!