The "logstash-*" index pattern does not contain any of the following field types: ip
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	ayounsi
	Nov 20 2019, 9:19 PM

Description

When creating a Kibana visualisation for https://logstash.wikimedia.org/app/kibana#/dashboard/AW5v7YTUarkxubcmAwPB , it's in theory possible to aggregate data via IPv4 Range:

Screenshot from 2019-11-20 13-13-12.png (642×358 px, 36 KB)

But it shows the error:

No Compatible Fields: The "logstash-*" index pattern does not contain any of the following field types: ip

So I was wondering how/if IPs could be "casted" as type: ip. And how v6 would be handled.

Event Timeline

ayounsi triaged this task as Lowest priority.Nov 20 2019, 9:19 PM

ayounsi created this task.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 20 2019, 9:19 PM

Yes we can, if you know the name of the field we can add an explicit mapping to force the type in modules/profile/files/logstash/elasticsearch-template.json

From https://logstash.wikimedia.org/app/kibana#/dashboard/69b9fbe0-3c1b-11e8-90f7-4958fd3a62b4
src-ip
dst-ip

From https://logstash.wikimedia.org/app/kibana#/dashboard/AW5v7YTUarkxubcmAwPB
source_ip
destination_ip

Seems like type ip supports v4 and v6 IPs - https://www.elastic.co/guide/en/elasticsearch/reference/5.6/ip.html

Looks good! I won't have time to look into this in depth but I'm happy to help if patches need review

fgiunchedi moved this task from Inbox to Backlog on the observability board.Dec 10 2019, 2:01 PM

ECS is typing these fields appropriately since https://gerrit.wikimedia.org/r/c/operations/puppet/+/647029

	F31112906: Screenshot from 2019-11-20 13-13-12.png
	Nov 20 2019, 9:19 PM

The "logstash-*" index pattern does not contain any of the following field types: ip Closed, ResolvedPublicActions

Description

Event Timeline

The "logstash-*" index pattern does not contain any of the following field types: ip
Closed, ResolvedPublic
Actions