From 1a51f11a8f4ab1a30bda4111ddb123d956205d9e Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Mon, 11 Mar 2019 16:07:34 +0000 Subject: [PATCH] Add ip fields to default_field in Elasticsearch template (#11035) (#11128) Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template. This adds them. For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat. (cherry picked from commit eee127cb59b56f2ed7c7e317398c3f79c4158216) --- CHANGELOG.next.asciidoc | 1 + libbeat/template/processor.go | 34 ++++++++++++++++------------------ 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d82905096fa8..70f6eca3c956 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -167,6 +167,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff] - Add support for index lifecycle management (beta). {pull}7963[7963] - Always include Pod UID as part of Pod metadata. {pull]9517[9517] - Release Jolokia autodiscover as GA. {pull}9706[9706] +- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035] *Auditbeat* diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index 69229cad5a5b..48897c2bf4e3 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -99,6 +99,11 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map mapping = p.other(&field) } + switch field.Type { + case "", "keyword", "text", "ip": + addToDefaultFields(&field) + } + if len(mapping) > 0 { output.Put(common.GenerateKey(field.Name), mapping) } @@ -106,6 +111,17 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map return nil } +func addToDefaultFields(f *common.Field) { + fullName := f.Name + if f.Path != "" { + fullName = f.Path + "." + f.Name + } + + if f.Index == nil || (f.Index != nil && *f.Index) { + defaultFields = append(defaultFields, fullName) + } +} + func (p *Processor) other(f *common.Field) common.MapStr { property := getDefaultProperties(f) if f.Type != "" { @@ -172,15 +188,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr { func (p *Processor) keyword(f *common.Field) common.MapStr { property := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - property["type"] = "keyword" switch f.IgnoreAbove { @@ -208,15 +215,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr { func (p *Processor) text(f *common.Field) common.MapStr { properties := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - properties["type"] = "text" if p.EsVersion.IsMajor(2) {