Beats Default Template Mappings for IP Fields

Micah_Hunsberger · August 1, 2018, 7:23pm

I've noticed that a lot of the beats default templates have IP fields as the keyword datatype. Since elasticsearch supports an ip datatype, which makes subnet mask filtering/searching really handy, I would think you would want to map these fields as type ip.

Is there a reason for loading it as a keyword type? I'm thinking about manually editing the template, but if there is a resiliency reason for not mapping as ip I would like to know.

Here are some examples:
filebeat iis access.server_ip access.remote_ip

filebeat apache2 access.server_ip access.remote_ip

packetbeat ip client_ip real_ip

An exception:
heartbeat's monitor.ip

thanks

exekias · August 2, 2018, 8:31am

Hi @Micah_Hunsberger,

This is a good point, I think the main reason is the type was not around when these modules were created. Could you please open an issue in Github to make use of it? As this is a breaking change we would need to introduce it in 7.0.

Best regards

Micah_Hunsberger · August 2, 2018, 3:47pm

Thanks,
for anyone following this conversation, here's the link to the issue: https://github.com/elastic/beats/issues/7847

system · August 30, 2018, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.