How to change IP fields datatype to ip from keyword in packetbeat 6.x

sohaibomr · February 21, 2019, 10:52am

Currently in packetbeat 6.x all the ip fields are indexed as datatype keyword in the elasticsearh. How can I change the default type of ip?

As suggested in below this issue I have tried to change the datatype using ingest pipeline or beats processor but I couldn't make it work.
Thanks

andrewkroh · February 21, 2019, 1:59pm

The data types are controlled by the Elasticsearch index template. Packetbeat provides its own when it first connects to Elasticsearch. But you could customize it.

packetbeat help export template
packetbeat export template --es.version=6.6.0 > packetbeat-6.6.0-template.json
Set the "type": "ip" for ip and client_ip.
Install the template to Elasticsearch as per this instructions here.

The template is used to define the mapping for newly created indices. So it won't affect any existing indices (you can delete them if you don't mind losing the data).

You can validate the mappings with:

GET packetbeat-*/_mapping/field/client_ip
GET packetbeat-*/_mapping/field/ip

And you'll want to see something like:

  "packetbeat-6.6.0-2019.02.21" : {
    "mappings" : {
      "doc" : {
        "client_ip" : {
          "full_name" : "client_ip",
          "mapping" : {
            "ip" : {
              "type" : "ip"
            }
          }
        }
      }
    }
  },

webmat · February 21, 2019, 2:33pm

Note that with the upcoming release of Elastic Stack 7.0, most of the IP fields will have moved to the ip datatype, during the transition to the Elastic Common Schema.

sohaibomr · February 22, 2019, 9:50am

Thank you
It works.

system · March 22, 2019, 9:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.