how to use mutate add_field check client_ip version v4 or v6?
if ['client_ip'].length >15 { mutate{ add_field => { "ip_type" => "ipv6" } } } else { mutate{ add_field => { "ip_type" => "ipv4" } } }
if ['client_ip'].length >15
That kind of function does not exist. You'd either use Ruby
ruby {
code => "
if event.get('client_ip').length > 15 then
event.set('ip_type', 'ipv6')
else
event.set('ip_type', 'ipv4')
end
"
}
or a regular expression:
if [client_ip] =~ /.{16}/ {
mutate{ add_field => { "ip_type" => "ipv6" }
} else {
mutate{ add_field => { "ip_type" => "ipv4" }
}
Not convinced a length check will work. What about :: or ::1, which are valid V6 addresses but short? Perhaps check
if [client_ip] =~ /:/
V6 addresses are delimited using colon, V4 addresses using a period.
1 Like
yeath has sovled
logstash 【6.2】
if [client_ip] =~ ".:." {
mutate {
add_field => { "ip_type" => "ipv6" }
}
} else {
mutate {
add_field => { "ip_type" => "ipv4" }
}
}
If you added an IP_TYPE field at the current point in time by modifying the logstash configuration file, how would you update this new field for earlier logs?
You would need to reindex the data.
After testing, it seems that Reindex cannot solve the problem of displaying new fields
What do you mean by that, you can definitely add fields with a reindex, it depends on what you want to do though.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.