Can I grok out the host field if its not a valid IP? Also, what is the host field?

red888 · February 19, 2018, 7:06pm

Not sure how to handle this.

I have this in my index template:
"host": {
"type": "IP"
},

In logstash I have this:
input {
tcp {
type => "weblogs"
port => "9999"
}
}

Now on a production server "host" is always a valid IP address, but if Im running a logstash container locally and sending data to it from the host (my laptop) the "host" field is populated as "gateway" for some reason.

I was thinking about groking out the host field if it is not a valid IP, but then i realized I don't even know how this field gets in there. Is this a field logstash injects? it seems to be. And if its always just the IP or hostname of the server I suppose there is no real value to casting it as an IP anyway.

magnusbaeck · February 20, 2018, 8:19pm

It's the tcp input that populates the host field. IIRC the hostname is used if available, otherwise you get an IP address.

system · March 20, 2018, 8:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logs being tagged with IP instead of hostname Logstash	1	336	March 22, 2018
Host variable replaced, but not configured to be Logstash	4	1182	July 6, 2017
Elastic 6.3 Field mapping of "IPORHOST" Elasticsearch	3	555	August 7, 2018
Display hostname instead of 127.0.0.1 Logstash	2	841	January 1, 2019
IP Field contained invalid IP address or hostname with geoip filter Logstash	5	2794	July 6, 2017

Can I grok out the host field if its not a valid IP? Also, what is the host field?

Related topics