Add ip fields to default_field in Elasticsearch template (elastic#11035…

…) (elastic#11129) Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template. This adds them. For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat. (cherry picked from commit eee127c)
cwurm · Mar 11, 2019 · c4a5799 · c4a5799
1 parent 715ab16
commit c4a5799
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 18 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -94,6 +94,8 @@ https://github.com/elastic/beats/compare/v7.0.0-beta1...master[Check the HEAD di
 
 *Affecting all Beats*
 
+- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035]
+
 *Auditbeat*
 
 - Move System module to beta. {pull}10800[10800]

diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go
@@ -100,13 +100,29 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map
 			mapping = p.other(&field)
 		}
 
+		switch field.Type {
+		case "", "keyword", "text", "ip":
+			addToDefaultFields(&field)
+		}
+
 		if len(mapping) > 0 {
 			output.Put(common.GenerateKey(field.Name), mapping)
 		}
 	}
 	return nil
 }
 
+func addToDefaultFields(f *common.Field) {
+	fullName := f.Name
+	if f.Path != "" {
+		fullName = f.Path + "." + f.Name
+	}
+
+	if f.Index == nil || (f.Index != nil && *f.Index) {
+		defaultFields = append(defaultFields, fullName)
+	}
+}
+
 func (p *Processor) other(f *common.Field) common.MapStr {
 	property := getDefaultProperties(f)
 	if f.Type != "" {
@@ -173,15 +189,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr {
 func (p *Processor) keyword(f *common.Field) common.MapStr {
 	property := getDefaultProperties(f)
 
-	fullName := f.Name
-	if f.Path != "" {
-		fullName = f.Path + "." + f.Name
-	}
-
-	if f.Index == nil || (f.Index != nil && *f.Index) {
-		defaultFields = append(defaultFields, fullName)
-	}
-
 	property["type"] = "keyword"
 
 	switch f.IgnoreAbove {
@@ -209,15 +216,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr {
 func (p *Processor) text(f *common.Field) common.MapStr {
 	properties := getDefaultProperties(f)
 
-	fullName := f.Name
-	if f.Path != "" {
-		fullName = f.Path + "." + f.Name
-	}
-
-	if f.Index == nil || (f.Index != nil && *f.Index) {
-		defaultFields = append(defaultFields, fullName)
-	}
-
 	properties["type"] = "text"
 
 	if p.EsVersion.IsMajor(2) {