diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index 1e8b3fa396..8bd5ddf9a1 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -22,3 +22,82 @@ cidrContains('/client.ip', '192.168.0.0/16', '10.0.0.0/8') {% include copy.html %} This function returns `true` if the IP address matches any of the specified CIDR blocks or `false` if it does not. + +## Example + +The following pipeline drops any documents that are not part of the specified CIDR blocks: + +```yaml +cidr-allowlist-pipeline: + source: + http: + path: /events + ssl: true + sslKeyCertChainFile: "certs/dp.crt" + sslKeyFile: "certs/dp.key" + processor: + - drop_events: + # Drop events whose client IP is NOT in specific CIDR allowlist + drop_when: 'not cidrContains(/client/ip, "10.0.0.0/8", "192.168.0.0/16", "fd00::/8")' + sink: + - opensearch: + hosts: ["https://opensearch:9200"] + insecure: true + username: admin + password: "admin_pass" + index_type: custom + index: "logs-%{yyyy.MM.dd}" +``` +{% include copy.html %} + +You can test this pipeline using the following command: + +```bash +curl -ksS -X POST "https://localhost:2021/events" \ + -H "Content-Type: application/json" \ + -d '[ + {"client":{"ip":"10.23.45.6"},"msg":"allowed 10/8"}, + {"client":{"ip":"8.8.8.8"},"msg":"should be dropped"}, + {"client":{"ip":"fd00::1234"},"msg":"allowed ULA IPv6"} + ]' +``` +{% include copy.html %} + +Only two documents are indexed: + +```json +{ + ... + "hits": { + "total": { + "value": 2, + "relation": "eq" + }, + "max_score": 1, + "hits": [ + { + "_index": "logs-2025.10.14", + "_id": "Ng1i4pkBLPEKXekW48BU", + "_score": 1, + "_source": { + "client": { + "ip": "10.23.45.6" + }, + "msg": "allowed 10/8" + } + }, + { + "_index": "logs-2025.10.14", + "_id": "Nw1i4pkBLPEKXekW48BU", + "_score": 1, + "_source": { + "client": { + "ip": "fd00::1234" + }, + "msg": "allowed ULA IPv6" + } + } + ] + } +} +``` \ No newline at end of file