Skip to content

Commit

Permalink
Add ip fields to default_field in Elasticsearch template (#11035)
Browse files Browse the repository at this point in the history
Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

This adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.
  • Loading branch information
Christoph Wurm authored Mar 7, 2019
1 parent 5fcd2e5 commit eee127c
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 18 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add if/then/else support to processors. {pull}10744[10744]
- Add `community_id` processor for computing network flow hashes. {pull}10745[10745]
- Add output test to kafka output {pull}10834[10834]
- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035]


*Auditbeat*
Expand Down
34 changes: 16 additions & 18 deletions libbeat/template/processor.go
Original file line number Diff line number Diff line change
Expand Up @@ -100,13 +100,29 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map
mapping = p.other(&field)
}

switch field.Type {
case "", "keyword", "text", "ip":
addToDefaultFields(&field)
}

if len(mapping) > 0 {
output.Put(common.GenerateKey(field.Name), mapping)
}
}
return nil
}

func addToDefaultFields(f *common.Field) {
fullName := f.Name
if f.Path != "" {
fullName = f.Path + "." + f.Name
}

if f.Index == nil || (f.Index != nil && *f.Index) {
defaultFields = append(defaultFields, fullName)
}
}

func (p *Processor) other(f *common.Field) common.MapStr {
property := getDefaultProperties(f)
if f.Type != "" {
Expand Down Expand Up @@ -173,15 +189,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr {
func (p *Processor) keyword(f *common.Field) common.MapStr {
property := getDefaultProperties(f)

fullName := f.Name
if f.Path != "" {
fullName = f.Path + "." + f.Name
}

if f.Index == nil || (f.Index != nil && *f.Index) {
defaultFields = append(defaultFields, fullName)
}

property["type"] = "keyword"

switch f.IgnoreAbove {
Expand Down Expand Up @@ -209,15 +216,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr {
func (p *Processor) text(f *common.Field) common.MapStr {
properties := getDefaultProperties(f)

fullName := f.Name
if f.Path != "" {
fullName = f.Path + "." + f.Name
}

if f.Index == nil || (f.Index != nil && *f.Index) {
defaultFields = append(defaultFields, fullName)
}

properties["type"] = "text"

if p.EsVersion.IsMajor(2) {
Expand Down

0 comments on commit eee127c

Please sign in to comment.