"does not contain any of the following compatible field types: ip"

Elastic Stack Kibana
1

How can I define IP? Accually I have both, IPv4 and IPv6, but looks like in Kibana can I use CIDR notation for IPv4 only, what in fact is fine. But my field name is like "layers.ip.ip_src" and I am goting error:

The index pattern pcap-* does not contain any of the following compatible field types: ip

I am using logstash config as in article Analyzing network packets with Wireshark, Elasticsearch, and Kibana | Elastic Blog

I guess that I need somehow define it in logstash, that field X is ip, but how? I am new in logstash (and in fact kibana and elastic too).

2

Hi,

It looks like your index mapping does not have the correct type.

You have to use the index template as said in the article. Simply upload the template through the console in dev tools in Kibana and configure filebeat with the same name it should work just fine.

3

I am using logstash without mapping, mapping is generated automatic.

Can I define ip field in logstash config? How?

4

Hi,
It appears that you aren't using the template and so the mapping created with your index is incorrect.

First of all you'll have to stop log ingestion ( logstash ). Then in order to change data types you'll have to either delete the existing index and or create a new one.

When you're ready to create your index use the developpers tools in Kibana menu and open the console.

When you're ready you can copy paste the actual code in the article

PUT _template/packets
{
  "template": "packets-*",
  "mappings": {
    "pcap_file": {
      "dynamic": "false",
      "properties": {
        "timestamp": {
          "type": "date"
        },
        "layers": {
          "properties": {
            "frame": {
              "properties": {
                "frame_frame_len": {
                  "type": "long"
                },
                "frame_frame_protocols": {
                  "type": "keyword"
                }
              }
            },
            "ip": {
              "properties": {
                "ip_ip_src": {
                  "type": "ip"
                },
                "ip_ip_dst": {
                  "type": "ip"
                }
              }
            },
            "udp": {
              "properties": {
                "udp_udp_srcport": {
                  "type": "integer"
                },
                "udp_udp_dstport": {
                  "type": "integer"
                }
              }
            }
          }
        }
      }
    }
  }
}
5

I can't do this on logstash level, somehow define? or I can't just update selected fields without downloading and uploading mapping? because my mapping is much richer than this from article…
I will need use this for future ELK deployment, so with manual update of mapping will need download it, edit and upload...

6

I'm not sure to fully understand the problem you are facing but you can't do this in logstash i might suggest you to just add the field and ip type to the existing template you are using ?

7

Accually I dont use any index template, it is generated by ELK when reading tshark json. Only thing which I would like to 'fix' is to change selected (I know name from Kibana) IPv4 field from string to IP. Addinional problem is that I have new index everyday, so probably best way is to somehow setup this in index pattern, but how?

8

Hi,
I would suggest you to take a look at this Convert a field from string to ip type

9

Will this solution works for dynamic generated mapping from tshark output (without mapping export, just Kibana learn it due import of jsons)?
Will it not overwrite any other fields, miss them etc?

It is not possible to do in logstash due import? Would be more easy...

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.