Suppose I want to map my ClientIP field to ECS fIeld what is the approach.
The ClientIP filed is already created in the index . Can I map it to ECS field,if the ClientIP field is already created
take a look at the alias datatype
PUT siem-test
{
"mappings": {
"properties": {
"ClientIP": {
"type": "text"
},
"client.ip": {
"type": "alias"
},
"transit_mode": {
"type": "keyword"
}
}
}
}
I am getting following error:
{
"error": {
"root_cause": [
{
"type": "resource_already_exists_exception",
"reason": "index [siem-test/GQN9k-6YSpuaCrU0DrdACg] already exists",
"index_uuid": "GQN9k-6YSpuaCrU0DrdACg",
"index": "siem-test"
}
],
"type": "resource_already_exists_exception",
"reason": "index [siem-test/GQN9k-6YSpuaCrU0DrdACg] already exists",
"index_uuid": "GQN9k-6YSpuaCrU0DrdACg",
"index": "siem-test"
},
"status": 400
}you have to update the mappings, you cannot recreate the index unless you want to delete it
PUT siem-test/_mappings
{
"properties": {
"client.ip": {
"type": "alias",
"path": "ClientIP"
}
}
}
Thank you @spinscale for your help.
But i am getting bellow error now
{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "mapper [client] of different type, current_type [text], merged_type [ObjectMapper]"
}
],
"type": "illegal_argument_exception",
"reason": "mapper [client] of different type, current_type [text], merged_type [ObjectMapper]"
},
"status": 400
}
Thank you @spinscale it worked now
PUT siem-test/_mappings
{
"properties": {
"client.ip": {
"type": "alias",
"path": "ClientIP.keyword"
}
}
}Hii @spinscale the filed name got renamed but then to it is not getting popped up in SIEM APP of elastic
Sorry, I am not a heavy SIEM user (yet), you may want to ask this specific question in the SIEM category
--Alex
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.