filebeat index pattern shows warning that host.ip is showing both type ip and text.
I believe this is somehow related to IPv6 host.ip is in type text and IPv4 host.ip in type ip
how do fix this ? at this point I don't need IPv6 detail(s).
That sounds possible, yes.
Are the v4 and v6 values stored in the same field?
yes it appears to be so, from Observability --> Logs --> an entry's detail would show field host.ip with both IPv4 address and what looks to be IPv6 IP address.
seems like my old grok patterns (worked in 6.8.x) aren't working on 7.1.3.x .. still trying to figure that out too.. but with this Mapping Conflict, I can't seem to run a reload on the index pattern (not available option, just delete index pattern)
What do you mean by a reload there?
Typo, meant there is no icon/option to refresh the index pattern...
Ah ok. That won't fix it because you will need to reindex the data with the "bad" mapping to the "good" one. Or, delete that "bad" data.
I've tried deleting the bad data/(filebeat-* indexes) , but the mapping keeps coming back even on new data.
i.e.
field host.ip value 10.XX.XX.XXX, fe80::da9d:67ff:fe2b:b574
I managed to disable ipv6 from the OS side, and live data no longer shows a host.ip value with both IPv4 and IPv6... but index pattern still shows the mapping conflict.
in the mapping json, I see 2 entries where ip is type text instead of type ip.
not familiar with the reindexing process. can someone explain how it's done? via dev-tool console?
Are they specific indices you can delete?
Awesome!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.