MySQL string field to ip using Logstash

RRSR · May 7, 2018, 11:01am

Hi,

I am using Logstash to create ElasticSearch index from MySQL data using jdbc plugin. There a field named ip in my MySQL which in ES index is coming as String. I want this field to be of datatype "ip".

logstash.conf :

input {
  jdbc { 
    jdbc_connection_string => "jdbc:mysql://localhost:3306/mydb"
    jdbc_user => "root"
    jdbc_password => "secret"
    jdbc_driver_library => "C:/apps/mysql-connector-java-5.1.44/mysql-connector-java-5.1.44-bin.jar"
    jdbc_driver_class => "com.mysql.jdbc.Driver"
    statement => "sleect * from abc"
    id => "my_id"
  }
}

output {
  stdout {codec => rubydebug}
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "mss_ddos"
    document_id => "%{my_id}"
    action => index
  } 
}

And my index is having _source as :

"ip": "1.1.1.1",
"start_time": "2018-05-05T12:00:51.000Z",
"@version": "1",
"end_time": "2018-05-05T12:00:51.000Z",
"@timestamp": "2018-05-07T10:11:10.797Z",

magnusbaeck · May 7, 2018, 11:06am

Update your index template so that ip is mapped as an IP address.

RRSR · May 7, 2018, 11:24am

@magnusbaeck - I don't have any template defined. Is creating a template a must for such a change?

magnusbaeck · May 7, 2018, 11:38am

Technically you can include the desired mappings in an explicit index creation request or add a mapping of the field after the index creation (assuming the field hasn't already been mapped), but using an index template is recommended.

RRSR · May 7, 2018, 11:52am

@magnusbaeck - I have created a template :

PUT _template/ddos_template
{
  "index_patterns": ["test_index"],
  "mappings": {
    "doc": {
      "_source": {
        "enabled": true
      },
      "properties": {
        "ip": {
          "type": "ip"
        }
      }
    }
  }
}

And created the index from scratch but still the type of ip field is coming as string rather than ip :

RRSR · May 7, 2018, 12:40pm

Actually, that worked by using the template approach but as I was checking the changes in an old Kibana index hence the changes were not reflected there.
Once I deleted the old there also and created a new index in Kibana too with the new ES index the datatype came as ip only.

system · June 4, 2018, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IP type being incorrectly indexed and mapped as string Elasticsearch	1	543	March 8, 2017
Correct src_ip field datatype to 'ip' Elasticsearch	8	4015	December 17, 2018
Can't convert the string datatype to ip Logstash	3	2761	February 9, 2018
IP datatype field cannot be created Logstash	3	278	April 30, 2020
Turn Packetbeat IP data from String to IP field type Logstash	5	1922	July 6, 2017

MySQL string field to ip using Logstash

Related topics