Hi Elasticsearch Jedi Masters,
I have an Elasticsearch instance (ver 7.7.1) that is archiving network data. I also have an index template transforming the data type of the “IP.host” field from text string to IP address:
curl -X PUT "localhost:9200/_template/my_template" -H 'Content-Type: application/json' -d'
{
"index_patterns": "myindex",
"order": 1,
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"properties": {
"IP.host": {
"type": "ip"
}
}
}
}'
A colleague pointed out that my Elasticsearch will need to handle both IPv4 and IPv6 addresses. I hadn’t thought of that! The Elasticsearch documentation (here) says that “An ip field can index/store either IPv4 or IPv6 addresses.” Does this mean I don’t have to worry about the v4/v6 distinction, that Elasticsearch will be smart enough to tell that “10.10.10.10” is a v4 address and “FC00:CAFE:1890:00A0:0722:2000:0000:0063” is a v6 address? That seems almost too good to be true.
My data does have a field indicating IPv4 or v6. If I must, can I do some kind of if/else within the index template, something like this:
curl -X PUT "localhost:9200/_template/my_template" -H 'Content-Type: application/json' -d'
{
"index_patterns": "myindex",
"order": 1,
"settings": {
"index": {
"refresh_interval": "5s"
}
},
if "IP.version" == 4 {
"mappings": {
"properties": {
"IP.host": {
"type": "ip"
}
}
}
},
else {
# "type": "ipv6"
},
}'
Is this possible? If so, can someone show me an example of the syntax? Thank you!