Not sure how to handle this.
I have this in my index template:
In logstash I have this:
type => "weblogs"
port => "9999"
Now on a production server "host" is always a valid IP address, but if Im running a logstash container locally and sending data to it from the host (my laptop) the "host" field is populated as "gateway" for some reason.
I was thinking about groking out the host field if it is not a valid IP, but then i realized I don't even know how this field gets in there. Is this a field logstash injects? it seems to be. And if its always just the IP or hostname of the server I suppose there is no real value to casting it as an IP anyway.