Beats Default Template Mappings for IP Fields

Micah_Hunsberger · August 1, 2018, 7:23pm

I've noticed that a lot of the beats default templates have IP fields as the keyword datatype. Since elasticsearch supports an ip datatype, which makes subnet mask filtering/searching really handy, I would think you would want to map these fields as type ip.

Is there a reason for loading it as a keyword type? I'm thinking about manually editing the template, but if there is a resiliency reason for not mapping as ip I would like to know.

Here are some examples:
filebeat iis access.server_ip access.remote_ip

filebeat apache2 access.server_ip access.remote_ip

packetbeat ip client_ip real_ip

An exception:
heartbeat's monitor.ip

thanks

exekias · August 2, 2018, 8:31am

Hi @Micah_Hunsberger,

This is a good point, I think the main reason is the type was not around when these modules were created. Could you please open an issue in Github to make use of it? As this is a breaking change we would need to introduce it in 7.0.

Best regards

Micah_Hunsberger · August 2, 2018, 3:47pm

Thanks,
for anyone following this conversation, here's the link to the issue: https://github.com/elastic/beats/issues/7847

system · August 30, 2018, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Beat Event Field "IP datatype" Beats beats-development	5	672	June 19, 2018
How to change IP fields datatype to ip from keyword in packetbeat 6.x Beats packetbeat	4	423	March 22, 2019
Search for IP address does not return results Kibana docker	7	2965	May 25, 2020
Nginx module and keyword fields Beats filebeat	3	978	November 30, 2017
From filebeat.template.json to fields.yml Beats filebeat	5	2010	June 5, 2018

Beats Default Template Mappings for IP Fields

Related topics