Currently in packetbeat 6.x all the ip fields are indexed as datatype keyword in the elasticsearh. How can I change the default type of ip?
As suggested in below this issue I have tried to change the datatype using ingest pipeline or beats processor but I couldn't make it work.
Thanks
The data types are controlled by the Elasticsearch index template. Packetbeat provides its own when it first connects to Elasticsearch. But you could customize it.
packetbeat help export templatepacketbeat export template --es.version=6.6.0 > packetbeat-6.6.0-template.json"type": "ip" for ip and client_ip.The template is used to define the mapping for newly created indices. So it won't affect any existing indices (you can delete them if you don't mind losing the data).
You can validate the mappings with:
GET packetbeat-*/_mapping/field/client_ip
GET packetbeat-*/_mapping/field/ip
And you'll want to see something like:
"packetbeat-6.6.0-2019.02.21" : {
"mappings" : {
"doc" : {
"client_ip" : {
"full_name" : "client_ip",
"mapping" : {
"ip" : {
"type" : "ip"
}
}
}
}
}
},
Note that with the upcoming release of Elastic Stack 7.0, most of the IP fields will have moved to the ip datatype, during the transition to the Elastic Common Schema.
Thank you 
It works.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.