Logstash ip data type

Mohammad_Mousavi · April 14, 2020, 9:40am

Hi, I have this in grok : %{IP:clientip}, but in Kibana in index mapping I see:

  "clientip": {
"type": "text",
"norms": false,
"fields": {
  "keyword": {
    "type": "keyword",
    "ignore_above": 256

I can't use kibana filter based on IP range, I guess this is the reason.
Should I reindex my indexes? How ?
and what's wrong with logstash ? should I use some mutate to convert ?
Thanx a lot.

Christian_Dahlqvist · April 14, 2020, 10:59am

Mutating fields in Logstash does not control how they are mapped in Elasticsearch, just how they are formatted in the JSON document being indexed. This is why it is only possible to convert to integers and floats. For data that are sent as a string, e.g. IP addresses, you need to provide the correct mapping through an index template. What you see is the default mapping that is created dynamically for strings if you do not specify any mapping. As you can not change mappings for existing fields you will need to reindex your data with the corrected mappings.

system · May 12, 2020, 10:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to map to ES type "ip" properly? Elasticsearch	1	366	December 10, 2018
IP type being incorrectly indexed and mapped as string Elasticsearch	1	543	March 8, 2017
Supported field types? Logstash	5	9629	July 6, 2017
String to IP Convert Elasticsearch	6	328	January 23, 2023
Convert a field from string to IP type Kibana	2	422	February 18, 2022

Logstash ip data type

Related topics