OpenSearch/docs/reference/aggregations/bucket/iprange-aggregation.asciidoc

[[search-aggregations-bucket-iprange-aggregation]]
=== IP Range Aggregation

Just like the dedicated <<search-aggregations-bucket-daterange-aggregation,date>> range aggregation, there is also a dedicated range aggregation for IP typed fields:

Example:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
  "size": 10,
  "aggs": {
    "ip_ranges": {
      "ip_range": {
        "field": "ip",
        "ranges": [
          { "to": "10.0.0.5" },
          { "from": "10.0.0.5" }
        ]
      }
    }
  }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,console-result]
--------------------------------------------------
{
  ...

  "aggregations": {
    "ip_ranges": {
      "buckets": [
        {
          "key": "*-10.0.0.5",
          "to": "10.0.0.5",
          "doc_count": 10
        },
        {
          "key": "10.0.0.5-*",
          "from": "10.0.0.5",
          "doc_count": 260
        }
      ]
    }
  }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]

IP ranges can also be defined as CIDR masks:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
  "size": 0,
  "aggs": {
    "ip_ranges": {
      "ip_range": {
        "field": "ip",
        "ranges": [
          { "mask": "10.0.0.0/25" },
          { "mask": "10.0.0.127/25" }
        ]
      }
    }
  }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,console-result]
--------------------------------------------------
{
  ...

  "aggregations": {
    "ip_ranges": {
      "buckets": [
        {
          "key": "10.0.0.0/25",
          "from": "10.0.0.0",
          "to": "10.0.0.128",
          "doc_count": 128
        },
        {
          "key": "10.0.0.127/25",
          "from": "10.0.0.0",
          "to": "10.0.0.128",
          "doc_count": 128
        }
      ]
    }
  }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]

==== Keyed Response

Setting the `keyed` flag to `true` will associate a unique string key with each bucket and return the ranges as a hash rather than an array:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
  "size": 0,
  "aggs": {
    "ip_ranges": {
      "ip_range": {
        "field": "ip",
        "ranges": [
          { "to": "10.0.0.5" },
          { "from": "10.0.0.5" }
        ],
        "keyed": true
      }
    }
  }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,console-result]
--------------------------------------------------
{
  ...

  "aggregations": {
    "ip_ranges": {
      "buckets": {
        "*-10.0.0.5": {
          "to": "10.0.0.5",
          "doc_count": 10
        },
        "10.0.0.5-*": {
          "from": "10.0.0.5",
          "doc_count": 260
        }
      }
    }
  }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]

It is also possible to customize the key for each range:

[source,console]
--------------------------------------------------
GET /ip_addresses/_search
{
  "size": 0,
  "aggs": {
    "ip_ranges": {
      "ip_range": {
        "field": "ip",
        "ranges": [
          { "key": "infinity", "to": "10.0.0.5" },
          { "key": "and-beyond", "from": "10.0.0.5" }
        ],
        "keyed": true
      }
    }
  }
}
--------------------------------------------------
// TEST[setup:iprange]

Response:

[source,console-result]
--------------------------------------------------
{
  ...

  "aggregations": {
    "ip_ranges": {
      "buckets": {
        "infinity": {
          "to": "10.0.0.5",
          "doc_count": 10
        },
        "and-beyond": {
          "from": "10.0.0.5",
          "doc_count": 260
        }
      }
    }
  }
}
--------------------------------------------------
// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`[[search-aggregations-bucket-iprange-aggregation]]`
Add back support for `ip` range aggregations. #17859 This commit adds support for range aggregations on `ip` fields. However it will only work on 5.x indices. Closes #17700 2016-04-18 10:11:11 -04:00			`=== IP Range Aggregation`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00
Add back support for `ip` range aggregations. #17859 This commit adds support for range aggregations on `ip` fields. However it will only work on 5.x indices. Closes #17700 2016-04-18 10:11:11 -04:00			`Just like the dedicated <<search-aggregations-bucket-daterange-aggregation,date>> range aggregation, there is also a dedicated range aggregation for IP typed fields:`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00
			`Example:`

[DOCS] Replace "// CONSOLE" comments with [source,console] (#46159) (#46332) 2019-09-05 10:11:25 -04:00			`[source,console]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`--------------------------------------------------`
Allow `_doc` as a type. (#27816) Allowing `_doc` as a type will enable users to make the transition to 7.0 smoother since the index APIs will be `PUT index/_doc/id` and `POST index/_doc`. This also moves most of the documentation to `_doc` as a type name. Closes #27750 Closes #27751 2017-12-14 11:47:53 -05:00			`GET /ip_addresses/_search`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`"size": 10,`
			`"aggs": {`
			`"ip_ranges": {`
			`"ip_range": {`
			`"field": "ip",`
			`"ranges": [`
			`{ "to": "10.0.0.5" },`
			`{ "from": "10.0.0.5" }`
			`]`
			`}`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TEST[setup:iprange]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00
			`Response:`

[DOCS] [5 of 5] Change // TESTRESPONSE comments to [source,console-results] (#46449) (#46459) 2019-09-06 16:09:09 -04:00			`[source,console-result]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`--------------------------------------------------`
			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`...`

			`"aggregations": {`
			`"ip_ranges": {`
			`"buckets": [`
			`{`
			`"key": "*-10.0.0.5",`
			`"to": "10.0.0.5",`
			`"doc_count": 10`
			`},`
			`{`
			`"key": "10.0.0.5-*",`
			`"from": "10.0.0.5",`
			`"doc_count": 260`
Made all multi-bucket aggs return consistent response format Closes #4926 2014-01-28 11:46:26 -05:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00
			`IP ranges can also be defined as CIDR masks:`

[DOCS] Replace "// CONSOLE" comments with [source,console] (#46159) (#46332) 2019-09-05 10:11:25 -04:00			`[source,console]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`--------------------------------------------------`
Allow `_doc` as a type. (#27816) Allowing `_doc` as a type will enable users to make the transition to 7.0 smoother since the index APIs will be `PUT index/_doc/id` and `POST index/_doc`. This also moves most of the documentation to `_doc` as a type name. Closes #27750 Closes #27751 2017-12-14 11:47:53 -05:00			`GET /ip_addresses/_search`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`"size": 0,`
			`"aggs": {`
			`"ip_ranges": {`
			`"ip_range": {`
			`"field": "ip",`
			`"ranges": [`
			`{ "mask": "10.0.0.0/25" },`
			`{ "mask": "10.0.0.127/25" }`
			`]`
			`}`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TEST[setup:iprange]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00
			`Response:`

[DOCS] [5 of 5] Change // TESTRESPONSE comments to [source,console-results] (#46449) (#46459) 2019-09-06 16:09:09 -04:00			`[source,console-result]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`--------------------------------------------------`
			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`...`

			`"aggregations": {`
			`"ip_ranges": {`
			`"buckets": [`
			`{`
			`"key": "10.0.0.0/25",`
			`"from": "10.0.0.0",`
			`"to": "10.0.0.128",`
			`"doc_count": 128`
			`},`
			`{`
			`"key": "10.0.0.127/25",`
			`"from": "10.0.0.0",`
			`"to": "10.0.0.128",`
			`"doc_count": 128`
Made all multi-bucket aggs return consistent response format Closes #4926 2014-01-28 11:46:26 -05:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`]`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
initial commit of the aggregations module Closes #3300 2013-11-24 06:13:08 -05:00			`}`
Add back support for `ip` range aggregations. #17859 This commit adds support for range aggregations on `ip` fields. However it will only work on 5.x indices. Closes #17700 2016-04-18 10:11:11 -04:00			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00
			`==== Keyed Response`

			Setting the `keyed` flag to `true` will associate a unique string key with each bucket and return the ranges as a hash rather than an array:

[DOCS] Replace "// CONSOLE" comments with [source,console] (#46159) (#46332) 2019-09-05 10:11:25 -04:00			`[source,console]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`--------------------------------------------------`
Allow `_doc` as a type. (#27816) Allowing `_doc` as a type will enable users to make the transition to 7.0 smoother since the index APIs will be `PUT index/_doc/id` and `POST index/_doc`. This also moves most of the documentation to `_doc` as a type name. Closes #27750 Closes #27751 2017-12-14 11:47:53 -05:00			`GET /ip_addresses/_search`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`"size": 0,`
			`"aggs": {`
			`"ip_ranges": {`
			`"ip_range": {`
			`"field": "ip",`
			`"ranges": [`
			`{ "to": "10.0.0.5" },`
			`{ "from": "10.0.0.5" }`
			`],`
			`"keyed": true`
			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TEST[setup:iprange]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00
			`Response:`

[DOCS] [5 of 5] Change // TESTRESPONSE comments to [source,console-results] (#46449) (#46459) 2019-09-06 16:09:09 -04:00			`[source,console-result]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`--------------------------------------------------`
			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`...`

			`"aggregations": {`
			`"ip_ranges": {`
			`"buckets": {`
			`"*-10.0.0.5": {`
			`"to": "10.0.0.5",`
			`"doc_count": 10`
			`},`
			`"10.0.0.5-*": {`
			`"from": "10.0.0.5",`
			`"doc_count": 260`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00
			`It is also possible to customize the key for each range:`

[DOCS] Replace "// CONSOLE" comments with [source,console] (#46159) (#46332) 2019-09-05 10:11:25 -04:00			`[source,console]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`--------------------------------------------------`
Allow `_doc` as a type. (#27816) Allowing `_doc` as a type will enable users to make the transition to 7.0 smoother since the index APIs will be `PUT index/_doc/id` and `POST index/_doc`. This also moves most of the documentation to `_doc` as a type name. Closes #27750 Closes #27751 2017-12-14 11:47:53 -05:00			`GET /ip_addresses/_search`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`"size": 0,`
			`"aggs": {`
			`"ip_ranges": {`
			`"ip_range": {`
			`"field": "ip",`
			`"ranges": [`
			`{ "key": "infinity", "to": "10.0.0.5" },`
			`{ "key": "and-beyond", "from": "10.0.0.5" }`
			`],`
			`"keyed": true`
			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
			`--------------------------------------------------`
CONSOLEify ip-range bucket agg docs Related #18160 2017-08-03 17:17:02 -04:00			`// TEST[setup:iprange]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00
			`Response:`

[DOCS] [5 of 5] Change // TESTRESPONSE comments to [source,console-results] (#46449) (#46459) 2019-09-06 16:09:09 -04:00			`[source,console-result]`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`--------------------------------------------------`
			`{`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`...`

			`"aggregations": {`
			`"ip_ranges": {`
			`"buckets": {`
			`"infinity": {`
			`"to": "10.0.0.5",`
			`"doc_count": 10`
			`},`
			`"and-beyond": {`
			`"from": "10.0.0.5",`
			`"doc_count": 260`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
[DOCS] Reformat agg snippets to use two-space indents (#59912) (#59922) 2020-07-20 15:59:00 -04:00			`}`
Update aggs reference documentation for 'keyed' options (#23758) Add 'keyed' parameter documentation for following: - Date Histogram Aggregation - Date Range Aggregation - Geo Distance Aggregation - Histogram Aggregation - IP range aggregation - Percentiles Aggregation - Percentile Ranks Aggregation 2017-04-18 09:57:50 -04:00			`}`
			`--------------------------------------------------`
Allow `_doc` as a type. (#27816) Allowing `_doc` as a type will enable users to make the transition to 7.0 smoother since the index APIs will be `PUT index/_doc/id` and `POST index/_doc`. This also moves most of the documentation to `_doc` as a type name. Closes #27750 Closes #27751 2017-12-14 11:47:53 -05:00			`// TESTRESPONSE[s/\.\.\./"took": $body.took,"timed_out": false,"_shards": $body._shards,"hits": $body.hits,/]`