Keywords for IP fields?

MarcusCaepio · July 9, 2018, 10:54am

Hi all,

by default logstash creates a field and a field.keyword.
When I map e.g. IP fields as fieldtype ip, the ip.keyword field disappears.
Is it usefull to map fields like them with a keyfield again?

E.g.:
[...]
host":{ "type": "ip", "fields":{"keyword": {"type":"keyword","ignore_above": 256}}},
[...]

Regards

Mark_Harwood · July 10, 2018, 9:16am

Like other numeric field types, ip is optimised in the index for performing range queries.
If you want to do things other than range queries e.g. use the significant_terms agg to find IP addresses highly correlated with 404 responses then it is better to use the ip.keyword field for that type of lookup.

system · August 7, 2018, 9:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is there any reason to have a field mapped as an IP AND a keyword? Elasticsearch	4	565	June 29, 2017
Use the correct datatype fields Elasticsearch	5	328	March 24, 2023
IP type being incorrectly indexed and mapped as string Elasticsearch	1	543	March 8, 2017
Elastic 6.3 Field mapping of "IPORHOST" Elasticsearch	3	555	August 7, 2018
How to map to ES type "ip" properly? Elasticsearch	1	366	December 10, 2018

Keywords for IP fields?

Related topics