Mapping conflict field host.ip Filebeat

Hello there,

I got this cluster setup and apparently is working fine apart from that I got some mapping conflicts under the hood.

After added Custom Windows Event Logs integrations using fleet, I checked if logs was coming throught which in fact it was, but then I saw a conflict icon in host.ip field.

Checking the mappings from a few indices, I saw that:

index: .ds-filebeat-8.2.3-*
"host" : {
          "properties" : {
            "architecture" : {
              "type" : "keyword",
              "ignore_above" : 1024
            },
"ip" : {
              "type" : "ip"

is conflicting with this one:

index: .ds-logs-winlog.winlog-default-*
"host" : {
          "properties" : {
            "architecture" : {
              "type" : "keyword",
              "ignore_above" : 1024
            },
"ip" : {
              "type" : "keyword",
              "ignore_above" : 1024
            },

Also, the results from a simple search using the first index: .ds-logs-winlog.winlog-default-*

"host": {
      "hostname": "test",
      "os": {
        "build": "14393.4704",
        "kernel": "10.0.14393.4704 (rs1_release.211004-1917)",
        "name": "Windows Server 2016 Standard",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "169.254.9.134",
        "192.168.0.124",
        "fe80::5efe:a9fe:ac2",
        "fe80::5efe:a82:7c"
      ],

The agent.type: filebeat

So my question is, the main issue here is the fact the logs are sending ipv6? Or because the type of one mapping is keyword and the other ip???

So can I fix this?? Should I need to change the whole mapping for the data stream: logs-winlog.winlog-default ???

Thanks for the attention.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.