Changing elastic template to accomodate ip and geoip fields

My current template for elasticstack(v6.2) is as follows:

{
"template": "log*",
"settings": {
	"number_of_shards": 2
},
"mappings": {
	"_default_": {
		"dynamic_templates": [{
			"date_fields": {
				"mapping": {
					"format": "dateOptionalTime",
					"doc_values": true,
					"type": "date"
				},
				"match": "*",
				"match_mapping_type": "date"
			}
		}, {
			"byte_fields": {
				"mapping": {
					"doc_values": true,
					"type": "byte"
				},
				"match": "*",
				"match_mapping_type": "byte"
			}
		}, {
			"double_fields": {
				"mapping": {
					"doc_values": true,
					"type": "double"
				},
				"match": "*",
				"match_mapping_type": "double"
			}
		}, {
			"float_fields": {
				"mapping": {
					"doc_values": true,
					"type": "float"
				},
				"match": "*",
				"match_mapping_type": "float"
			}
		}, {
			"integer_fields": {
				"mapping": {
					"doc_values": true,
					"type": "integer"
				},
				"match": "*",
				"match_mapping_type": "integer"
			}
		}, {
			"long_fields": {
				"mapping": {
					"doc_values": true,
					"type": "long"
				},
				"match": "*",
				"match_mapping_type": "long"
			}
		}, {
			"short_fields": {
				"mapping": {
					"doc_values": true,
					"type": "short"
				},
				"match": "*",
				"match_mapping_type": "short"
			}
		}, {
			"string_fields": {
				"mapping": {
					"index": "not_analyzed",
					"omit_norms": true,
					"doc_values": true,
					"type": "string"
				},
				"match": "*",
				"match_mapping_type": "string"
			}
		}],
		"properties": {
			"@version": {
				"index": "not_analyzed",
				"doc_values": true,
				"type": "string"
			}
		},
		"_all": {
			"enabled": true
		}
	}
},
"aliases": {}
}

And when I do a

GET log_name/_mapping

the output is this:

{
"log-2018-04-03": {
	"mappings": {
		"doc": {
			"dynamic_templates": [{
					"message_field": {
						"path_match": "message",
						"match_mapping_type": "string",
						"mapping": {
							"norms": false,
							"type": "text"
						}
					}
				},
				{
					"string_fields": {
						"match": "*",
						"match_mapping_type": "string",
						"mapping": {
							"fields": {
								"keyword": {
									"ignore_above": 256,
									"type": "keyword"
								}
							},
							"norms": false,
							"type": "text"
						}
					}
				}
			],
			"properties": {
				"@timestamp": {
					"type": "date"
				},
				"@version": {
					"type": "keyword"
				},
				"bytesReceived": {
					"type": "long"
				},
				"bytesSent": {
					"type": "long"
				},
				"clientIP": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"device": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"geoip": {
					"dynamic": "true",
					"properties": {
						"ip": {
							"type": "ip"
						},
						"latitude": {
							"type": "half_float"
						},
						"location": {
							"type": "geo_point"
						},
						"longitude": {
							"type": "half_float"
						}
					}
				},
				"message": {
					"type": "text",
					"norms": false
				},
				"name": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"os": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"referer": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"response": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"timetaken": {
					"type": "long"
				},
				"type": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				},
				"uriStem": {
					"type": "text",
					"norms": false,
					"fields": {
						"keyword": {
							"type": "keyword",
							"ignore_above": 256
						}
					}
				}
			}
		},
		"_default_": {
			"dynamic_templates": [{
					"message_field": {
						"path_match": "message",
						"match_mapping_type": "string",
						"mapping": {
							"norms": false,
							"type": "text"
						}
					}
				},
				{
					"string_fields": {
						"match": "*",
						"match_mapping_type": "string",
						"mapping": {
							"fields": {
								"keyword": {
									"ignore_above": 256,
									"type": "keyword"
								}
							},
							"norms": false,
							"type": "text"
						}
					}
				}
			],
			"properties": {
				"@timestamp": {
					"type": "date"
				},
				"@version": {
					"type": "keyword"
				},
				"geoip": {
					"dynamic": "true",
					"properties": {
						"ip": {
							"type": "ip"
						},
						"latitude": {
							"type": "half_float"
						},
						"location": {
							"type": "geo_point"
						},
						"longitude": {
							"type": "half_float"
						}
					}
				}
			}
		}
	}
}
}

So now how would I change this to accomodate ip and geoip fields in the field mappings or should I change my logstash configuration file (but after some digging I found out that we cannot map fields from logstash's configuration file. Currently ip's are treated as strings in my elasticstack.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.