Efficient way to determine IP version (v4 vs. v6)?

Is there an efficient way in a Logstash pipeline to take a field with an IP in it, and determine whether that IP is v4 or v6?

The only way I can think to do it would involve at least two groks per IP (four per doc for source and dest), plus a lot of checking if tags/fields exist and then removing them later. This pipeline needs to sustain about 10,000 documents/second, so efficiency is important.

All I need is to know if the IP is v6, so I can skip a section of the pipeline that errors out with v6 IPs. A very small percentage of the documents have v6 IPs.

(I suppose I could hack it by just checking for the existence of ":" in the IP field, but it seems like this should be an easy thing to do "properly")

I don't think you need two groks per IP. If it is not V6 then it is going to be V4, right?

Personally I would do this by checking for a colon in the address. I don't think that is a hack.

Yeah, leaning towards checking for :
Going to try a ruby filter to avoid regexes/grok

ruby {
  code =>"
  event['src.isv6'] = ( event['src.ip'][0,5][':'] == ":" )

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.