Is there any reason to have a field mapped as an IP AND a keyword?

red888 · May 31, 2017, 7:57pm

I'm looking at a few index mapping examples from around the web and there are a few things Im unsure of.

I have some fields like this that are mapped with IP as well as keyword:

"host_ip": {
 "type": "ip",
  "fields": {
    "keyword": {
      "type": "keyword"
    }
  }
},

Is there any reason I would want both?

I need it mapped as an IP type so I can search on IP ranges, but when would I want it to be a keyword?

Is searching on a keyword field faster than an IP field? Like for example if I want to query for a specific IP would a query for host_ip.keyword:<specific ip> be faster then searching on host_ip:<specific ip> (where host_ip is an IP type)?

thiago · May 31, 2017, 11:00pm

I don't see any real use for that. ip fields behaves just as keyword field in the sense that you can do aggregations over it plus the fact that you can do CIDR queries on ip fields.

rusty · June 1, 2017, 8:07am

If you are using exact queries - ip type is preferable, but if you need regexp match - keyword type is the answer.

Mark_Harwood · June 1, 2017, 8:16am

One aggregation where there is a possible performance benefit is the significant_terms aggregation.
It needs to look up background frequencies to relevance rank candidate terms. An example use case is identifying the IP addresses strongly correlated with risky behaviour [1].
With a simple keyword field Lucene maintains a count that can be looked up cheaply. However, to look up the background frequency for an ip type field the internal implementation in significant terms has to effectively run a query to count the set of docs with this value which is more expensive.

[1] https://www.elastic.co/blog/spotting-bad-actors-what-your-logs-can-tell-you-about-protecting-your-business

system · June 29, 2017, 8:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.