Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ip fields to default_field in Elasticsearch template #11035

Merged
merged 3 commits into from
Mar 7, 2019
Merged

Add ip fields to default_field in Elasticsearch template #11035

merged 3 commits into from
Mar 7, 2019

Conversation

cwurm
Copy link
Contributor

@cwurm cwurm commented Mar 1, 2019

I recently noticed that pasting an IP into Kibana's KQL bar yielded no results - even though there were plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

I think they should definitely be included, and this adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.

/cc @elastic/secops - important for us.

@cwurm cwurm added the review label Mar 1, 2019
@cwurm cwurm requested a review from a team March 1, 2019 21:39
@cwurm cwurm requested a review from a team as a code owner March 1, 2019 21:39
@cwurm cwurm force-pushed the default_fields_include_ip branch from db88fd3 to a33c558 Compare March 1, 2019 21:53
andrewkroh
andrewkroh approved these changes Mar 6, 2019
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@cwurm cwurm merged commit eee127c into elastic:master Mar 7, 2019
@cwurm cwurm deleted the default_fields_include_ip branch March 7, 2019 10:33
@cwurm cwurm mentioned this pull request Mar 7, 2019
Merged
@cwurm cwurm added the v6.7.0 label Mar 7, 2019
cwurm pushed a commit to cwurm/beats that referenced this pull request Mar 7, 2019
Add ip fields to default_field in Elasticsearch template (elastic#11035)
d99a6f5 
Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

This adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.

(cherry picked from commit eee127c)
cwurm pushed a commit to cwurm/beats that referenced this pull request Mar 7, 2019
Add ip fields to default_field in Elasticsearch template (elastic#11035)
3ea9cd2 
Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

This adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.

(cherry picked from commit eee127c)
@cwurm cwurm mentioned this pull request Mar 7, 2019
Merged
@cwurm cwurm added the v7.0.0 label Mar 7, 2019
cwurm pushed a commit to cwurm/beats that referenced this pull request Mar 7, 2019
Add ip fields to default_field in Elasticsearch template (elastic#11035)
3a49524 
Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

This adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.

(cherry picked from commit eee127c)
@cwurm cwurm mentioned this pull request Mar 7, 2019
Closed
@cwurm cwurm added the v7.2.0 label Mar 7, 2019
cwurm pushed a commit that referenced this pull request Mar 11, 2019
Add ip fields to default_field in Elasticsearch template (#11035) (#1…
1a51f11 
…1128)

Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

This adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.

(cherry picked from commit eee127c)
cwurm pushed a commit that referenced this pull request Mar 11, 2019
Add ip fields to default_field in Elasticsearch template (#11035) (#1…
c4a5799 
…1129)

Pasting an IP into Kibana's KQL bar currently yields no results - even when there are plenty of documents with that IP. The reason is that IP fields are currently not included in the default_field configuration of the generated template.

This adds them.

For Auditbeat, this adds 9 fields. For the others, it looks like 16 for Metricbeat, 15 for Filebeat, 17 for Packetbeat.

(cherry picked from commit eee127c)
@cwurm cwurm mentioned this pull request Mar 22, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
review v6.7.0 v7.0.0 v7.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cwurm @andrewkroh