Beats Default Template Mappings for IP Fields

Micah_Hunsberger · August 1, 2018, 7:23pm

I've noticed that a lot of the beats default templates have IP fields as the keyword datatype. Since elasticsearch supports an ip datatype, which makes subnet mask filtering/searching really handy, I would think you would want to map these fields as type ip.

Is there a reason for loading it as a keyword type? I'm thinking about manually editing the template, but if there is a resiliency reason for not mapping as ip I would like to know.

Here are some examples:
filebeat iis access.server_ip access.remote_ip

filebeat apache2 access.server_ip access.remote_ip

packetbeat ip client_ip real_ip

An exception:
heartbeat's monitor.ip

thanks

exekias · August 2, 2018, 8:31am

Hi @Micah_Hunsberger,

This is a good point, I think the main reason is the type was not around when these modules were created. Could you please open an issue in Github to make use of it? As this is a breaking change we would need to introduce it in 7.0.

Best regards

Micah_Hunsberger · August 2, 2018, 3:47pm

Thanks,
for anyone following this conversation, here's the link to the issue: https://github.com/elastic/beats/issues/7847

system · August 30, 2018, 5:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Beat Event Field "IP datatype" Beats beats-development	5	698	June 19, 2018
How to change IP fields datatype to ip from keyword in packetbeat 6.x Beats packetbeat	4	446	March 22, 2019
Turn Packetbeat IP data from String to IP field type Logstash	5	1949	July 6, 2017
IP getting mapped as string Elasticsearch	4	2180	June 2, 2017
Index ignoring template Elasticsearch	2	1060	January 19, 2018

Beats Default Template Mappings for IP Fields

Related topics