Supported Elasticsearch Field Types

Graylog Central (peer support)
1

Hi all,

I found an old thread from 2018 here, which was not answered:

I tried to use field type “ip” in a GROK rule, but got the error message “not supported”. We use ES 6.8.6 on our ES cluster members.
According to this page (IP datatype | Elasticsearch Guide [6.8] | Elastic), the type “ip” is nothing special.

Do you have an overview which datatypes are supported in GL? A hint with the GitHub source would be enough for me.

Best,

Sascha

EDIT:
Found this: https://github.com/Graylog2/graylog2-server/blob/master/graylog2-web-interface/src/views/logic/fieldtypes/FieldType.js
The type “ip” is there:
IP: createType('ip', [Properties.Enumerable]),
Now I’m even more confused…

2

Hi @shenke,

What do you mean by:

tried to use field type “ip” in a GROK rule

Can you give an example for that? Because GROK does not support the type IP.

3

I wanted to change the field %{Client_IP:src_ip} to %{Client_IP:src_ip;ip} which did not work.

This is the full extractor:
%{HTTP_PROXY_DATE}%{PROXY}%{Client_IP:src_ip}%{SPACE:UNWANTED}%{HTTP_METHOD:http_method}%{SPACE:UNWANTED}%{HTTP_Host}%{URI_PARAM}%{SPACE:UNWANTED}%{HTTP_VERSION}%{USER_AGENT}

4

Hello @shenke,

GROK does not know a type IP and does not know of the elasticsearch field types.
GROK only knows int, float, string and perhaps boolean but I could not find anything about that.

As far as I know, sending a string to elastic search should be enough and elastic search will map it as IP if you configured it that way.

5

Hmkay, I’ll try it that way. Thank you!

6

I just read again what I wrote and I want to make my self clear. It should be enough to do no type casting in the Grok Pattern at all.

Hope this helps! Let me know if I can be of any further help.

Best regards,
Konrad

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.