Continuing the discussion from Convert a field from string to ip type:
"version" : {
"number" : "2.1.1",
"build_hash" : "40e2c53a6b6c2972b3d13846e450e66f4375bd71",
"build_timestamp" : "2015-12-15T13:05:55Z",
"build_snapshot" : false,
"lucene_version" : "5.3.1"
},
I was banging my head on this and I figured out that my template was set correctly however, I keep'd getting errors in logstash.log.
"_type"=>"logs", "_id"=>"AVJg2HO78OTigFwDifPm", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [client_ip]", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: "154.250.241.254""}}}}, :level=>:warn}
this was after enabling the type in the template:
"client_ip": {
"type": "ip",
"store": true
},
What I got is that an ip string was not wanted but a some other type. I converted it to decimal and it worked. I am not sure of the issue as I looked through (not an experienced java developer ): https://github.com/elastic/elasticsearch/blob/b6c9eaa24ad314afc83577c4ce3c2eb6798b64bf/core/src/main/java/org/elasticsearch/index/mapper/ip/IpFieldMapper.java
Since client that is generating the logs is written in python I added this method to solve my problem. Not sure why string would through the error.
def ip2int(addr):
return struct.unpack("!I", socket.inet_aton(addr))[0]
Thanks in advance.