Logstash.conf

input {
	http{ }
}

filter {
        elasticsearch {
	  hosts => ["127.0.0.1:9200"]
	  index => "logstash-*"
	  query_template => "search-by-ip.json"
          fields => {
                  "id"  => "[suscriberid]"
          }
        }
  }


output {
  stdout { codec => rubydebug }
}

-----------------
search-by-ip.json

{
  "size": 1,
  "query": { "match":{"IP": %{[ip]} } }
}
-------------------
testcase.sh

curl -XPOST "localhost:8080" -H "Content-Type: application/json" -d '{
  "size": 1,
  "query": { "match":{"ip": "192.168.1.4" }}
}'