Add ip fields to default_field in Elasticsearch template (elastic#11035)

Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template. This adds them. For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat. (cherry picked from commit eee127c)
cwurm · Mar 7, 2019 · d99a6f5 · d99a6f5
1 parent 1013672
commit d99a6f5
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 18 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -165,6 +165,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
 - Add support for index lifecycle management (beta). {pull}7963[7963]
 - Always include Pod UID as part of Pod metadata. {pull]9517[9517]
 - Release Jolokia autodiscover as GA. {pull}9706[9706]
+- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035]
 
 *Auditbeat*
 

diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go
@@ -99,13 +99,29 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map
 			mapping = p.other(&field)
 		}
 
+		switch field.Type {
+		case "", "keyword", "text", "ip":
+			addToDefaultFields(&field)
+		}
+
 		if len(mapping) > 0 {
 			output.Put(common.GenerateKey(field.Name), mapping)
 		}
 	}
 	return nil
 }
 
+func addToDefaultFields(f *common.Field) {
+	fullName := f.Name
+	if f.Path != "" {
+		fullName = f.Path + "." + f.Name
+	}
+
+	if f.Index == nil || (f.Index != nil && *f.Index) {
+		defaultFields = append(defaultFields, fullName)
+	}
+}
+
 func (p *Processor) other(f *common.Field) common.MapStr {
 	property := getDefaultProperties(f)
 	if f.Type != "" {
@@ -172,15 +188,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr {
 func (p *Processor) keyword(f *common.Field) common.MapStr {
 	property := getDefaultProperties(f)
 
-	fullName := f.Name
-	if f.Path != "" {
-		fullName = f.Path + "." + f.Name
-	}
-
-	if f.Index == nil || (f.Index != nil && *f.Index) {
-		defaultFields = append(defaultFields, fullName)
-	}
-
 	property["type"] = "keyword"
 
 	switch f.IgnoreAbove {
@@ -208,15 +215,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr {
 func (p *Processor) text(f *common.Field) common.MapStr {
 	properties := getDefaultProperties(f)
 
-	fullName := f.Name
-	if f.Path != "" {
-		fullName = f.Path + "." + f.Name
-	}
-
-	if f.Index == nil || (f.Index != nil && *f.Index) {
-		defaultFields = append(defaultFields, fullName)
-	}
-
 	properties["type"] = "text"
 
 	if p.EsVersion.IsMajor(2) {