Hi all,
by default logstash creates a field and a field.keyword.
When I map e.g. IP fields as fieldtype ip, the ip.keyword field disappears.
Is it usefull to map fields like them with a keyfield again?
E.g.:
[...]
host":{ "type": "ip", "fields":{"keyword": {"type":"keyword","ignore_above": 256}}},
[...]
Regards
Like other numeric field types, ip is optimised in the index for performing range queries.
If you want to do things other than range queries e.g. use the significant_terms agg to find IP addresses highly correlated with 404 responses then it is better to use the ip.keyword field for that type of lookup.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.