Greetings,
Elastic Stack 6.3.2
I have IP addresses in fields in my data for which I wish to set mappings to index as ip type. For some of those fields, I also enrich the IP address in the document to a reverse DNS name using Logstash's dns filter. This filter by default appends the resolved PTR data to the same field, converting the field to an array containing the original IP address (item 1) as well as a DNS FQDN (item 2).
Field without enrichment:
"geoip": {
"ip": "174.238.136.189"
}
Field with this enrichment:
"source": {
"ip": [
"174.238.136.189",
"189.sub-174-238-136.myvzw.com"
]
}
In the first example, geoip.ip is a single field that can be easily specified in an index template with a mapping, and contains only an IP address, so no issue.
In the second enriched example, how can I achieve an Elasticsearch mapping for source.ip to index as ip type if it is an array and contains a non-IP data element? Will this not result in an error?
A secondary question (regarding the Logstash dns filter); is it possible to add an option (such as target) to the filter that allows a destination field to be specified rather than the current behaviors of the action option, which only allow appending to or replacing the source field? This would then be similar to the behavior of the geoip filter, storing the data separate from the source field. It seems to make more sense that an IP field only store IP addresses since DNS names are not IPs (just logically speaking, aside from the mapping complication).