Elastic 6.3 Field mapping of "IPORHOST"


Hi all,
how do I have to do the field mapping in my index template to map the logstash output, which is grokked as "IPORHOST" ? Mapping as IP drops all results with a hostname ('xyz' is not an IP string literal.). So I need some kind of "IP or text" mapping. Is this possible??

(Mark Walkom) #2

It's easier to help if you don't create multiple topics on the same question. Let's keep things going here Keywords for IP fields? :slight_smile:


Imho that are 2 different questions but anyway, I solved this question by splitting the "IPORHOST" pattern into e.g. (?:%{IP:src_ip}|%{HOSTNAME:src_hostname})

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.