IP getting mapped as string

abhi1 · April 25, 2017, 3:45pm

Hi,

I am new with ELK. I am trying to load a log file via logstash; my log file is in json format. I am able to load it in Elastic, however on closely looking i found out that the ip field is loaded as string instead of IP datatype. I have tried multiple things like using mutate function, template updation ; but nothing seems to be working. Would really appreciate if somebody can help me with this

My config file:

input {
file {
codec => json
path => "C:\Users\asing178\Downloads\Log\DBAudit.log-2017-04-14-001.json"
start_position => "beginning"
codec => json
sincedb_path => "/dev/null"
}
}

output {
elasticsearch {
hosts => "http://localhost:9200"
#user=>"elastic"
#password=>"123456"
index => "bi_hadoop_log_abhi"
document_type => "log"

}
stdout { }
}

Json data sample:

{"timestamp":{"$date":"2017-04-12T06:37:44.572Z"},"operation":"DB_SCAN","user":"sramakr2","uid":43826,"ipAddress":"10.205.82.141","VolumeName":"uhclake_rx1_snapshot","volumeId":196457823,"columnFamily":"ci","columnQualifier":"snapshot_crt_ts","tablePath":"/datalake/uhclake/tst/t_hdfs/optum/Enriched/standard_access/current_snapshot/rx1/data/CLMPRDEXT2_RCEX1P_snaphbase","tableFid":"199722.16724.1003498","status":0}

my updated template file (I have overwritten the default template file)

{
"template" : "logstash-",
"version" : 50001,
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"default" : {
"_all" : {"enabled" : true, "norms" : false},
"dynamic_templates" : [ {
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false
}
}
}, {
"string_fields" : {
"match" : "",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text", "norms" : false,
"fields" : {
"keyword" : { "type": "keyword" }
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date", "include_in_all": false },
"@version": { "type": "keyword", "include_in_all": false },
"ipAddress": { "type": "ip" },
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}
}
}
}
}

Template file location: C:\Users\asing178\Downloads\logstash-5.2.1\vendor\bundle\jruby\1.9\gems\logstash-output-elasticsearch-6.2.6-java\lib\logstash\outputs\elasticsearch\elasticsearch-template-es5x.json

Kindly let me know if any other detail is required

warkolm · April 28, 2017, 8:21am

You aren't using the geoip filter on the ipAddress field, so it will never create that info.

However what does it end up being mapped as?

abhi1 · May 1, 2017, 5:59am

Thanks Mark...my ip field is getting mapped as string in my indexes. So you are suggesting that i need to use geoip filter in my config

abhi1 · May 5, 2017, 3:27pm

The issue is resolved now; I have used the explicit mapping for the index where I have specified the field type as ip and then ran the logstash

system · June 2, 2017, 3:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IP type being incorrectly indexed and mapped as string Elasticsearch	1	543	March 8, 2017
LogStash Imports Numbers as Strings into Elastic Logstash	3	1889	July 6, 2017
Turn Packetbeat IP data from String to IP field type Logstash	5	1922	July 6, 2017
How map datatype dynamically for fields as per input logs in elasticsearch Logstash	2	731	April 12, 2017
Logstash ip data type Logstash	2	1025	May 12, 2020

IP getting mapped as string

Related topics