Elasticsearch is failing to index events with a 400 error attempting to parse an IPv6 event in the Azure Platform Pipeline:
"status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [source.ip] of type [ip] in document with id ''. Preview of field's value: '2405'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'2405' is not an IP string literal."}}}}}
Testing an IPv6 Address against this pattern using https://grokdebug.herokuapp.com/ returns the same result, the first hex block of the IPv6 is returned as the hostname.
To workaround the issue specifically with the Azure ingest pipeline %{IPV6} was added as a first check sequence but the Grok pattern IPORHOST will need attention.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.