ES|QL TO_IP function
field- Input value. The input can be a single- or multi-valued column or an expression.
options-
(Optional) Additional options.
Converts an input string to an IP value.
| field | options | result |
|---|---|---|
| ip | named parameters | ip |
| ip | ip | |
| keyword | named parameters | ip |
| keyword | ip | |
| text | named parameters | ip |
| text | ip |
leading_zeros-
(keyword) What to do with leading 0s in IPv4 addresses.
ROW str1 = "1.1.1.1", str2 = "foo"
| EVAL ip1 = TO_IP(str1), ip2 = TO_IP(str2)
| WHERE CIDR_MATCH(ip1, "1.0.0.0/8")
| str1:keyword | str2:keyword | ip1:ip | ip2:ip |
|---|---|---|---|
| 1.1.1.1 | foo | 1.1.1.1 | null |
Note that in this example, the last conversion of the string isn’t possible.
When this happens, the result is a null value. In this case a Warning header is added to the response.
The header will provide information on the source of the failure:
"Line 1:68: evaluation of [TO_IP(str2)] failed, treating result as null. Only first 20 failures recorded."
A following header will contain the failure reason and the offending value:
"java.lang.IllegalArgumentException: 'foo' is not an IP string literal."
ROW s = "1.1.010.1" | EVAL ip = TO_IP(s, {"leading_zeros":"octal"})
| s:keyword | ip:ip |
|---|---|
| 1.1.010.1 | 1.1.8.1 |
Parse v4 addresses with leading zeros as octal. Like ping or ftp.
ROW s = "1.1.010.1" | EVAL ip = TO_IP(s, {"leading_zeros":"decimal"})
| s:keyword | ip:ip |
|---|---|
| 1.1.010.1 | 1.1.10.1 |
Parse v4 addresses with leading zeros as decimal. Java's InetAddress.getByName.