Description
The default Elasticsearch index templates, all templates used for ECS and our packages have a dynamic field mappings for strings to map to keywords by default if it is not a number or date. Unfortunately this converts all ip addresses to keywords too. It would be great if Elasticsearch could also detect the format of ip addresses (ipv4, ipv6) and automatically map it.
This solves a problem we currently have with the Elastic Agent. Based on which environment the Agent runs in, additional metadata is attached to the events. This can be information about k8s, docker, host, cloud and is used to identify where the event originated. All this fields are keywords with a few ip addresses. We know the exact fields that will show up and could map everything in advance but means we bloat the mapping for each single dataset with all possible options even though in most cases, only 1 is needed.
If Elasticsearch would detect ip addresses, we can skip all these mappings and just let Elasticsearch put the correct mappings into place when they are needed. Like this, each dataset only contains the mappings that are required and not for all metadata.
This is how the dynamic_template looks today:
"dynamic_templates": [
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],