I am importing logs with IP data (v4 and v6) data. The IP fields already come into Graylog as strings but I was experimenting with the to_ip() function in the pipeline rules to see if they did anything interesting.
When I use a pipeline rule like this, I don’t see any difference in the resulting field. The aip field looks just like other IP fields in the log (fields that I am not changing). Is to_ip() not applicable in my scenario? Is the IP data still stored as a string in ES?
when has_field("aip") then set_field("aip",to_ip($message.aip)); end
I was reading the following thread and I think I share some of the confusion about Graylog’s use/mapping of IP data. Is the IP type only relevant in pipeline rules? Is it stored as a string when it goes to the index?