How do I add Beat Event Field with IP datatype?
fields.Put("client.ip", net.ParseIP(clientIP)) adds string field...
Beat creates index template (if it’s not there already) based on fields.yml.
Could you tell how IP datatype should be defined there, please?
filebeat fields.yml has following lines:
fields:
- name: remote_ip
type: keyword
description: >
Client IP address.
I don’t think “keyword” type defines IP datatype...
Am I wrong about it?
You should use "type: ip". Here's an example in heartbeat: https://github.com/elastic/beats/blob/5a6630a8bc9b9caf312978f57d1d9193bdab1ac7/heartbeat/_meta/fields.common.yml#L46
Andrew,
A bit broader/general question:
Looks like string and long field types are recognized properly.
date type is recognized for @timestamp field only.
Does it mean all NOT (string OR long) field types need to be defined in fields.yml?
Thanks!
BTW: Not sure if this is a bug, but:
When a beat is compiled with github.com\elastic\beats from 05/19/18
@timestamp field is not recognized as date type when new index pattern is created.
It does work properly with github.com\elastic\beats from 05/02/18
Don’t know where to reports this...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.