For an ELK(Kibana is v3) setup I feed logs from some firewalls and src_ip/dst_ip fields are defined as type "ip". eg.
"dst_ip" : {"type" : "ip"}
Mappings are also correct:
curl -XGET http://localhost:9200/logstash-2015.03.10/_mapping/field/src_ip?pretty
{
"logstash-2015.03.10" : {
"mappings" : {
"screenos" : {
"src_ip" : {
"full_name" : "src_ip",
"mapping":{"src_ip":{"type":"ip"}}
}
},
"cisco-fw" : {
"src_ip" : {
"full_name" : "src_ip",
"mapping":{"src_ip":{"type":"ip"}}
}
},
"checkpoint" : {
"src_ip" : {
"full_name" : "src_ip",
"mapping":{"src_ip":{"type":"ip"}}
}
}
}
}
}
Problem is that in any Terms panel where I want to display topN SRC/DST IP addresses, instead of the dotted decimal representation of an IP address, I have the int/long representation.
e.g.: Instead of 192.168.66.6 it shows 3232252422
Is there any workaround to fix this in Kibana v3 or v4?
Thanks, Adam
This is because 'ip' is stored internally as a number. In order to have a string version of the ip address, you need to add it to the mapping and then use ip.raw in your panel:
"MY_FIELD" : {
"index" : "analyzed",
"type" : "ip",
"fields" : {
"raw" : {
"index" : "not_analyzed",
"type" : "string"
}
}
}