From 3a495245166c45d7fef19ffdbf5d8823ea3ca278 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Thu, 7 Mar 2019 10:33:23 +0000 Subject: [PATCH] Add ip fields to default_field in Elasticsearch template (#11035) Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template. This adds them. For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat. (cherry picked from commit eee127cb59b56f2ed7c7e317398c3f79c4158216) --- CHANGELOG.next.asciidoc | 1 + libbeat/template/processor.go | 34 ++++++++++++++++------------------ 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4af319f78c1..b922c58f655 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -245,6 +245,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add `overwrite` and `check_exists` settings to ILM support. {pull}10347[10347] - Generate Kibana index pattern on demand instead of using a local file. {pull}10478[10478] - Calls to Elasticsearch X-Pack APIs made by Beats won't cause deprecation logs in Elasticsearch logs. {9656}9656[9656] +- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035] *Auditbeat* diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index b4f6a04c0e8..4e25bcec03f 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -100,6 +100,11 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map mapping = p.other(&field) } + switch field.Type { + case "", "keyword", "text", "ip": + addToDefaultFields(&field) + } + if len(mapping) > 0 { output.Put(common.GenerateKey(field.Name), mapping) } @@ -107,6 +112,17 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map return nil } +func addToDefaultFields(f *common.Field) { + fullName := f.Name + if f.Path != "" { + fullName = f.Path + "." + f.Name + } + + if f.Index == nil || (f.Index != nil && *f.Index) { + defaultFields = append(defaultFields, fullName) + } +} + func (p *Processor) other(f *common.Field) common.MapStr { property := getDefaultProperties(f) if f.Type != "" { @@ -173,15 +189,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr { func (p *Processor) keyword(f *common.Field) common.MapStr { property := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - property["type"] = "keyword" switch f.IgnoreAbove { @@ -209,15 +216,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr { func (p *Processor) text(f *common.Field) common.MapStr { properties := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - properties["type"] = "text" if p.EsVersion.IsMajor(2) {