I have a Logstash config file that has defined a field mapping of an IP-type field as follows:
...
%{IP:client_ip}
...
but when my data (an AWS ELB log file) is consumed by Logstash and indexed in Elasticsearch, my data is coming over as a string type. Specifically, when queried, the Elasticsearch mapping for that field shows as follows:
...
"client_ip" : {
"type" : "text",
"norms" : false,
"fields" : {
"keyword" : {
"type" : "keyword"
}
}
},
...
I haven't specified anything like the Elasticsearch mapping anywhere, and I've checked the grok documentation and it appears the declaration of an IP type is correct. How do I ensure that my IP fields get mapped / typed properly in Elasticsearch?
(Note that the next job will be to fix over a month's worth of data in Elasticsearch, since you apparently cannot change data types for existing mappings...)
Thanks for your help...