Changing mapping type to IP

userelastic · July 18, 2019, 5:54pm

Hi everyone; I have a Cisco ASA Firewall sending logs to ES through Logstash; I noticed that couple of fields are defined as text. Can you please guide me how can I can them into IP type? Following is the mapping and I need to change the type of "dst_ip" field.

GET logstash-ciscoasa*/_mapping
{
"logstash-ciscoasa-2019.06" : {
"mappings" : {
"dynamic_templates" : [
{
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"norms" : false,
"type" : "text"
}
}
},
{
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"fields" : {
"keyword" : {
"ignore_above" : 256,
"type" : "keyword"
}
},
"norms" : false,
"type" : "text"
}
}
}
],
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "keyword"
},
"action" : {
"type" : "text",
"norms" : false,
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"cisco_message" : {
"type" : "text",
"norms" : false,
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"dst_ip" : {
"type" : "text",
"norms" : false,
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},

rugenl · July 18, 2019, 6:42pm

Here is a keyword field where I added IP mapping in the template:

 "mappings": {
  "doc": {
    "properties" : {
      "ip_address" : {
        "type" : "keyword",
        "fields" : {
          "ip" : {
            "type" : "ip"
          }
        }
      }

So ip_address is a keyword and ip_address.ip is mapped as ip.

system · August 15, 2019, 6:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.