User cannot save a filter with ip with CIDR notation value

[bhavyarm]

Kibana version: 7.5.0 BC4 same bug in other locations

Elasticsearch version: 7.5.0 BC4 same bug in other locations

Server OS version: darwin_x86_64

Browser version: chrome latest

Browser OS version: OS X

Original install method (e.g. download page, yum, from source, etc.): from staging

Describe the bug: User cannot save a filter if she tries to use ip value with CIDR notation value.

Steps to reproduce:

1. Ingest documents into ES with the following mapping and create index pattern in Kibana

PUT ip_addr
{
 "mappings": {
   "properties": {
     "ip_addr": {
       "type": "ip"
     }
   }
 }
}

PUT ip_addr/_doc/1
{
  "ip_addr": "196.168.1.1"
}

PUT ip_addr/_doc/2
{
  "ip_addr": "196.168.2.1"
}

Check to make sure this search works:

GET ip_addr/_search
{
  "query": {
    "term": {
      "ip_addr": "196.168.0.0/16"
    }
  }
}

2. Create index pattern in Kibana, go to discover ensure that documents are showing up and search works on ip_addr

3. Create a filter and pick ip_addr and try to give the value of 196.168.0.0/16

4. You cannot save the filter

5. Give the IP value without CIDR notation and then edit the query DSL in the filter and input 196.168.0.0/16

6. Kibana saves the filter

Screenshots (if relevant):

[elasticmachine]

Pinging @elastic/kibana-app (Team:KibanaApp)

[elasticmachine]

Pinging @elastic/kibana-app-arch (Team:AppArch)

[jamesharr]

This is a limitation/frustration I'm having with the user-interface as well. I'm running 7.9.0, but this has been around for a while.

I find myself throwing junk values into the UI-based filter, saving, then going in and editing the DSL to be what I actually want and it works.

Additionally, IPv6 addresses are not recognized. Same thing - you can toss in junk IPv4 values to get a DSL structure, then edit IPv6 in place.

It's worth noting that I've verified from my side that Kibana sees the data type as ip and that server-side data-type is ip as well. If you're targeting any sort of network use-cases, having CIDR-based searches is kind of an expectation.

[jgregmac]

I, too, would like to see this issue addressed.

Our Security Operations team makes use of the filtering UI in Kibana, and have been frustrated that they cannot do a CIDR search without dropping back to Lucene/KQL. It confuses them, especially since all of the training they took on Kibana emphasized the use of the filtering UI.

This seems like a simple fix that will net significant productivity gains for people using the Elastic Stack for SIEM and network operations use cases.

-Greg Mackinnon
Yale University

[toddferg]

Work around Gif added:

[cstegm]

This is still an issue, while toddfergs workaround works very well....

[elasticmachine]

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

[elasticmachine]

Pinging @elastic/kibana-visualizations (Team:Visualizations)

[ghudgins]

linking a solution in the controls project #184900