Hi all, how do I have to do the field mapping in my index template to map the logstash output, which is grokked as "IPORHOST" ? Mapping as IP drops all results with a hostname ('xyz' is not an IP string literal.). So I need some kind of "IP or text" mapping. Is this possible??

Elastic 6.3 Field mapping of "IPORHOST"

MarcusCaepio July 10, 2018, 9:43am 3

Imho that are 2 different questions but anyway, I solved this question by splitting the "IPORHOST" pattern into e.g. (?:%{IP:src_ip}|%{HOSTNAME:src_hostname})

1 Like

Topic		Replies	Views
Can't get a field type IP Logstash	12	7159	July 6, 2017
IP getting mapped as string Elasticsearch	4	2175	June 2, 2017
Mapping questions Elasticsearch	2	890	July 5, 2017
Can't get IP as index pattern Kibana	9	1838	July 6, 2017
"does not contain any of the following compatible field types: ip" Kibana	9	906	May 11, 2020

Elasticsearch is a trademark of Elasticsearch BV, registered in the U.S. and in other countries
Trademarks
Terms
Privacy
Brand
Code of Conduct

Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.

Elastic 6.3 Field mapping of "IPORHOST"

Related topics