Hey there,
I would like just to get a suggestion.
If I have a field that contains only ip addresses and it is used for standard match query, should be better to map it with the ip datatype or is it not relevant? is there any drawback to map it as a text?
I saw that ip datatype is a 64bit integer, while the text?
Hi @rschirin - you're right to question the type based on usage.
are you going to search for partial matches of the IP? then Text or IP datatypes may be better.
are you going to search using CIDR notation or to aggregate IP ranges? Then IP datatype would be best.
if you're only going to match the whole term but still want to potentially term-aggregate on it, then stick to the Keyword datatype.
you can also use a runtime field to change its type afterward if you want to test other usages.
Really thanks! I am searching for the whole string so keyword should be the best option. Let me ask another thing: should I use keyword in every scenario I perform searches on the whole values? Generally without ant aggregation operation.
Just one thing, if you are using an ecs field like source.ip or client.ip and want to integrate with some apps in Kibana, like the ones from the Security module, you will need to map the field as IP or some things will not work.
It depends on your data, but if you only search for the exact value of the field then mapping it as keyword would be the ideal.
One tip is to try to follow what mapping elastic uses for a field that would have the same data of yours if you aren't use ecs, for example, if you have a field for a source port on a network connection named srcPort and you always search by exact ports like 22 or 443, you may map this field as keyword, but elastic uses long for all port fields because in some cases there is the need to do range queries on it.
I had this exact same situation where all my port fields were mapped as keyword because we only searched for exact values until there was the need to search for a range of ports.
1 Like
Using keyword field will give more efficient usage of disk? Or performances? Or both?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.