Description
Using @jrodewig's example from his docs PR a query of the form where cidrMatch(source.address, \"192.168.0.0/16\") == true fails to match because the Painless script for equality is doing a simple comparison between 192.168.0.0/16 and the actual value in that field - 192.168.152.12 - and will obviously not match and the query will not return a result. For reference, the full script used in this query is
"script": {
"source": "InternalQlScriptUtils.nullSafeFilter(InternalQlScriptUtils.eq(InternalQlScriptUtils.eq(InternalQlScriptUtils.docValue(doc,params.v0),params.v1),params.v2))",
"lang": "painless",
"params": {
"v0": "source.address",
"v1": "192.168.0.0/16",
"v2": true
}
}
On the other hand, when the cidrMatch function is being used standalone (and the Painless script is not needed) eql ES falls back to a term query of the form
{
"term": {
"source.address": {
"value": "192.168.0.0/16",
"boost": 1
}
}
}
that does the right thing and knows about the cidr notation and matches the query.
I think we need a cidrMatch method to be used in scripts that will do whatever term query does with an IP field.