EQL cidrmatch issue

hello guys, I created an eql rule for ssh access I wanna match multiple IP ranges but I get this error that the destination.ip field is text and not IP can you please suggest me another way to do that. here's my query {
sequence with maxspan=15m [any where cidrmatch(destination.ip, "", "", "", "", "", "", "", "") and destination.port==22 and event.action=="Allow" ] [any where source.ip not in ("" , "" , "", "","")] }
and here's the error I get :
must be [ip], found value [destination.ip] type [text]

The only workaround I see is to have a filtering with OR and regex to express this cidrmatch, and be aware that this would most probably be significantly slower than a cidrmatch on IP fields.

The best solution is to reindex your data using the correct mapping (data types for your fields).

yeah I used runtime field and it works now thank you.

Nice, haven't thought of that workaround.