Hi all, how do I have to do the field mapping in my index template to map the logstash output, which is grokked as "IPORHOST" ? Mapping as IP drops all results with a hostname ('xyz' is not an IP string literal.). So I need some kind of "IP or text" mapping. Is this possible??

Imho that are 2 different questions but anyway, I solved this question by splitting the "IPORHOST" pattern into e.g. (?:%{IP:src_ip}|%{HOSTNAME:src_hostname})

Elastic 6.3 Field mapping of "IPORHOST"

Elastic Stack Elasticsearch

warkolm (Mark Walkom) July 10, 2018, 9:17am 2

It's easier to help if you don't create multiple topics on the same question. Let's keep things going here Keywords for IP fields?

Topic		Replies	Views
Can I grok out the host field if its not a valid IP? Also, what is the host field? Logstash	2	642	March 20, 2018
IP type being incorrectly indexed and mapped as string Elasticsearch	1	543	March 8, 2017
This really helped me on Elastic with Logstash 8.x Elasticsearch	1	173	July 10, 2023
Where is the object mapping for [host] defined? Elasticsearch ecs-elastic-common-schema	15	3084	September 13, 2021
Keywords for IP fields? Elasticsearch	2	1345	August 7, 2018

Elastic 6.3 Field mapping of "IPORHOST"

Related topics