I have syslog docs coming through logstash and everything is mapping to the correct field names. The index template that has a pattern matching the logs from logstash correctly creates datastreams and ilm is working great.
The problem/odd thing is that most fields including ones that are explicitly mapped in component template(s) as well as manual mappings I created in the index template are not taking.
For example. 'host.ip' is supposed to map to the field type 'ip' but it along with many keywords (that are also mapped to 'keyword') are indexing as the field type 'text'.
I've tried re-indexing, wiping the entire config and ensuring that the data stream is created via the index template with all the mappings, but still most fields end up indexing as 'text'
Has anyone come across this before? I am at a loss, so any help would be much appreciated!
P.S. my setup with logstash is through the centrally managed kibana portal, and I'm running enterprise ELK 8.17.0.