From eee127cb59b56f2ed7c7e317398c3f79c4158216 Mon Sep 17 00:00:00 2001 From: Christoph Wurm Date: Thu, 7 Mar 2019 10:33:23 +0000 Subject: [PATCH] Add ip fields to default_field in Elasticsearch template (#11035) Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template. This adds them. For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat. --- CHANGELOG.next.asciidoc | 1 + libbeat/template/processor.go | 34 ++++++++++++++++------------------ 2 files changed, 17 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b2771c3c828..5e84f26b27a 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -231,6 +231,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add if/then/else support to processors. {pull}10744[10744] - Add `community_id` processor for computing network flow hashes. {pull}10745[10745] - Add output test to kafka output {pull}10834[10834] +- Add ip fields to default_field in Elasticsearch template. {pull}11035[11035] *Auditbeat* diff --git a/libbeat/template/processor.go b/libbeat/template/processor.go index b4f6a04c0e8..4e25bcec03f 100644 --- a/libbeat/template/processor.go +++ b/libbeat/template/processor.go @@ -100,6 +100,11 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map mapping = p.other(&field) } + switch field.Type { + case "", "keyword", "text", "ip": + addToDefaultFields(&field) + } + if len(mapping) > 0 { output.Put(common.GenerateKey(field.Name), mapping) } @@ -107,6 +112,17 @@ func (p *Processor) Process(fields common.Fields, path string, output common.Map return nil } +func addToDefaultFields(f *common.Field) { + fullName := f.Name + if f.Path != "" { + fullName = f.Path + "." + f.Name + } + + if f.Index == nil || (f.Index != nil && *f.Index) { + defaultFields = append(defaultFields, fullName) + } +} + func (p *Processor) other(f *common.Field) common.MapStr { property := getDefaultProperties(f) if f.Type != "" { @@ -173,15 +189,6 @@ func (p *Processor) ip(f *common.Field) common.MapStr { func (p *Processor) keyword(f *common.Field) common.MapStr { property := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - property["type"] = "keyword" switch f.IgnoreAbove { @@ -209,15 +216,6 @@ func (p *Processor) keyword(f *common.Field) common.MapStr { func (p *Processor) text(f *common.Field) common.MapStr { properties := getDefaultProperties(f) - fullName := f.Name - if f.Path != "" { - fullName = f.Path + "." + f.Name - } - - if f.Index == nil || (f.Index != nil && *f.Index) { - defaultFields = append(defaultFields, fullName) - } - properties["type"] = "text" if p.EsVersion.IsMajor(2) {