Different field types from same grok statement

probson · November 29, 2019, 12:01pm

Hi,

I use the below grok to convert the source.address to source.ip and convert from string to IP as part of the ECS.

I have firewall and IPS logs running through this. Prior to the grok i convert source.address to string so that all sources are the same. source.ip does not exist before this. The firewall and ips logs are indexed using the same index pattern.

The issue is that the firewall is correctly indexing as IP but the IPS logs are coming in as text and creating a conflict
.
Any idea as to why this might be happening? source.address is indexed as string.

if "source.address" {
  grok {
    match => [ "source.address", "(?:%{IP:source.ip}|%{GREEDYDATA:source.domain})" ]
    add_tag => [ "srcip" ]
  }
}

Thanks
Phil

probson · December 2, 2019, 3:11pm

After days of going in a loop i decided to look at the indices mapping. Issue is due to me pushing filebeat through logstash and using a logstash output to put the beats version into the index. I didnt have a template for 7.2.0 but had one for 7.4.2. I had originally pointed filebeat at ES to get the dashboards.

Sorted now.

system · December 30, 2019, 3:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.