Help understanding use of to_ip() and underlying IP data format in index


(Hkelley) #1

I am importing logs with IP data (v4 and v6) data. The IP fields already come into Graylog as strings but I was experimenting with the to_ip() function in the pipeline rules to see if they did anything interesting.

When I use a pipeline rule like this, I don’t see any difference in the resulting field. The aip field looks just like other IP fields in the log (fields that I am not changing). Is to_ip() not applicable in my scenario? Is the IP data still stored as a string in ES?

when
    has_field("aip")
then
    set_field("aip",to_ip($message.aip));
end

I was reading the following thread and I think I share some of the confusion about Graylog’s use/mapping of IP data. Is the IP type only relevant in pipeline rules? Is it stored as a string when it goes to the index?

https://community.graylog.org/t/about-data-types-in-graylog-and-es/4661


(Jan Doberstein) #2

the type you specify with to_ip() does no change how the data is stored. Because that is only given during the processing pipelines. That would allow you to check if the IP is in a certain subnet or similar.

If you want to change the way the IP is stored in Elasticsearch, you would need to create a custom mapping in Elasticsearch for that field.