|Applies To||RSA Security Analytics|
|Issue||"Invalid query. Please verify" error in RSA Security Analytics investigations when using "begins" or "ends" for IP addresses.|
When using the begins or ends clause in the Investigation UI to filter by IP address (i.e. Source IP Address) you get the following error: Invalid query. Please verify.
|Cause||This error in an RSA Security Analytics investigation occurs because the "begins" and "ends" clauses are meant for text values. Because IP addresses are stored as IPv4/IPv6 value types, the clauses would not be applicable.|
The solution is to use the "=" clause with a CIDR notation. For example, to filter by source IP addresses that begin with "10.10", the entry below would be used.
This will match the first 2 octets, i.e: 10.10
|Legacy Article ID||a66433|