Is there an efficient way in a Logstash pipeline to take a field with an IP in it, and determine whether that IP is v4 or v6?
The only way I can think to do it would involve at least two groks per IP (four per doc for source and dest), plus a lot of checking if tags/fields exist and then removing them later. This pipeline needs to sustain about 10,000 documents/second, so efficiency is important.
All I need is to know if the IP is v6, so I can skip a section of the pipeline that errors out with v6 IPs. A very small percentage of the documents have v6 IPs.
(I suppose I could hack it by just checking for the existence of ":" in the IP field, but it seems like this should be an easy thing to do "properly")