Default Template Mappings for IP fields are keyword type

[mhunsber]

A lot of beats modules load templates into elasticsearch that map IP fields to the keyword datatype
they should probably use the ip datatype to make use of the subnet search.

for example:

• filebeat iis and apache2 modules,
• packetbeat common fields

a module that does map an ip field to the ip datatype is heartbeat's monitor.ip field.

discussion: https://discuss.elastic.co/t/beats-default-template-mappings-for-ip-fields/142644

[exekias]

As this is a breaking change, I listed it in the list of changes for 7.0. We should also check ip fields in Metricbeat

[elasticmachine]

Pinging @elastic/infrastructure

[webmat]

Note that a lot of IP fields will be moving to the ip datatype with the migration to ECS already, in 7.0.

The reason why many IP fields are keyword is that in some cases, the remote address can be a name instead of an IP (Apache httpd, when HostnameLookups is On), or a Unix socket name (nginx, HAProxy).

With the introduction of the canonical IP fields, this value will be copied to source.ip (only when it's an IP), which will be of datatype ip.

I suggest we close this issue, as this will be addressed across the board with the ECS migration. @mhunsber you can check out master issue #8655, to see the progress on the modules and Beats you care about :-)

In the meantime, if you really care about getting the ip datatype in 6.x, you can use ingest pipeline or a Beat processor to copy the value to another field that you've defined to be ip in your index template.

[mhunsber]

Sounds good to me.

[ruflin]

@webmat I think we should still go through the list of fields especially in packetbeat to double check we don't have any leftovers. @andrewkroh Perhaps you can take this on?

[andrewkroh]

I have changed the type of the IP fields in #9303 (not merged yet).