From c4a5799f50329cfbba815788840be84a4f1964c8 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Mon, 11 Mar 2019 16:08:07 +0000 Subject: [PATCH] Add ip fields to default_field in Elasticsearch template (#11035) (#11129) Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template. This adds them. For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat. (cherry picked from commit eee127cb59b56f2ed7c7e317398c3f79c4158216) --- CHANGELOG.next.asciidoc | 2 ++ libbeat/template/processor.go | 34 ++++++++++++++++------------------ 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9663f3fb387..8209ff6dad4 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -94,6 +94,8 @@ https://github.com/elastic/beats/compare/v7.0.0-beta1...master[Check the HEAD di *Affecting all Beats* +- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035] + *Auditbeat* - Move System module to beta. {pull}10800[10800] diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index b4f6a04c0e8..4e25bcec03f 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -100,6 +100,11 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map mapping = p.other(&field) } + switch field.Type { + case "", "keyword", "text", "ip": + addToDefaultFields(&field) + } + if len(mapping) > 0 { output.Put(common.GenerateKey(field.Name), mapping) } @@ -107,6 +112,17 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map return nil } +func addToDefaultFields(f *common.Field) { + fullName := f.Name + if f.Path != "" { + fullName = f.Path + "." + f.Name + } + + if f.Index == nil || (f.Index != nil && *f.Index) { + defaultFields = append(defaultFields, fullName) + } +} + func (p *Processor) other(f *common.Field) common.MapStr { property := getDefaultProperties(f) if f.Type != "" { @@ -173,15 +189,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr { func (p *Processor) keyword(f *common.Field) common.MapStr { property := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - property["type"] = "keyword" switch f.IgnoreAbove { @@ -209,15 +216,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr { func (p *Processor) text(f *common.Field) common.MapStr { properties := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - properties["type"] = "text" if p.EsVersion.IsMajor(2) {