Quick question. If I have a field called like "srcIP" with a value of 1.2.3.4, and sent it to a system like Splunk or Elasticsearch, would it see the srcIP field as a string or as an IP field? Because I would want to ensure that there is a way for the values to be the right type and be converted if a change is needed.
Question
Would my destination see the srcIP field as a string or as an IP field?
It's going to be a string. JSON doesn't have a field type for IP address. String, number, array, boolean
to be clear, this isn't a cribl limitation. There is no way to deliver data to splunk with a field type of IP Address
<@ULBGHDPNY> Is there a way in Cribl to convert that field to type IP for a tool such as Elasticsearch?
there is no such thing
Elastic expects JSON. There is no variable type IP in JSON
<@ULBGHDPNY> then how would you explain the convert command in filebeat to convert to a type of IP? https://www.elastic.co/guide/en/beats/filebeat/current/convert.html
> The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.
You could do a couple of things @wcall_cribl on the Elastic side for this…
Option 1.
You could set srcIP to type IP through the mappings (i.e. component + index template).
https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html
Option 2.
If you don't need to keep the name srcIP and can change the field name to something already defined in ECS like source.ip, then Elasticsearch would read it as an IP. https://www.elastic.co/guide/en/ecs/current/ecs-source.html#field-source-ip
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.