I have been working on logstash to read packetbeat data, however, 90% of the data are strings. I would wanna know how can I turn the fields related to IP address back into the data field as IP.
One of the filters I have done is:
filter{
geoip{
source => "ip"
}
}
But the results haven't changed anything. I have even tried to rewrite the packetbeat template json as stated in GitHub [source]. But no good result. Please help.
Great thanks in advance.
You need to modify the index template used by Logstash. Look into the options related to index templates for the elasticsearch output plugin.
I can find the elasticsearch output plugin but I am not sure if I should just copy the whole source to overwrite the original data inside the file.
Thanks.
Copy the elasticsearch-template.json file (or whatever it's called) into a new location and configure your output to use that file instead.
Great Thanks. It does a great help.
However, even I have made the logstash conf file to use the template I made from the source, seem the field collected are still all strings instead of changing to other types of data. For example, the ip data collected are originally just a string, then I have mapped it as an IP in the template json file. However, in the setting in Kibana, it is still a string.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.