I am importing logs with IP data (v4 and v6) data. The IP fields already come into Graylog as strings but I was experimenting with the to_ip() function in the pipeline rules to see if they did anything interesting.
When I use a pipeline rule like this, I don’t see any difference in the resulting field. The aip field looks just like other IP fields in the log (fields that I am not changing). Is to_ip() not applicable in my scenario? Is the IP data still stored as a string in ES?
when
has_field("aip")
then
set_field("aip",to_ip($message.aip));
end
I was reading the following thread and I think I share some of the confusion about Graylog’s use/mapping of IP data. Is the IP type only relevant in pipeline rules? Is it stored as a string when it goes to the index?
https://community.graylog.org/t/about-data-types-in-graylog-and-es/4661