Parsing problems with IPv6 in the event

Hi, we are having 5.4.3. version of ELK.
The field "source" is set to be type "ip". Before it work with any problem until we started to send data with ipv6 (not ipv4). The IP address is in correct format. What can be wrong?

In logstash we are also having geoip:
geoip {
source => "[attrs][source]"
tag_on_failure => "geoip_error"
}

[2018-03-15T10:18:49,560][ERROR][logstash.filters.ruby ] Ruby exception occurred: bad value for range
[2018-03-15T10:18:49,588][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-2018.03.15", :_type=>"sbc_event", :_routing=>nil}, 2018-03-15T08:55:07.000Z %{host} %{message}], :response=>{"index"=>{"_index"=>"logstash-2018.03.15", "_type"=>"sbc_event", "_id"=>"AWIo9GrwlVlA1nyv0IvN", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [attrs.source]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'[xxxx:xxxx:xxxx:39c6:16:3eff:fe8c:b341]' is not an IP string literal."}}}}}

It looks like your Elasticsearch index is configured to map that field to an IP address, and is rejecting the request to insert the document because the value isn't valid; while Elasticsearch 5.x added support for ipv6 for IP fiends, it can also load indices that were created with Elasticsearch 2.x, which would only support ipv4. Is this by chance an index that pre-exists your migration to Elasticsearch 5.x?

It's also possible that Elasticsearch doesn't like the surrounding [ and ] (I'm guessing here; you may want to re-ask in the Elasticsearch forum)

Thank you! You were right the problem we square brackets!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.