Would my destination see the srcIP field as a string or as an IP field?

wcall_cribl

Quick question. If I have a field called like "srcIP" with a value of 1.2.3.4, and sent it to a system like Splunk or Elasticsearch, would it see the srcIP field as a string or as an IP field? Because I would want to ensure that there is a way for the values to be the right type and be converted if a change is needed.

Jon Rust

It's going to be a string. JSON doesn't have a field type for IP address. String, number, array, boolean

Jon Rust

to be clear, this isn't a cribl limitation. There is no way to deliver data to splunk with a field type of IP Address

wcall_cribl

<@ULBGHDPNY&gt; Is there a way in Cribl to convert that field to type IP for a tool such as Elasticsearch?

wcall_cribl

So when it gets sent to ES, it would see it as an IP type

Jon Rust

there is no such thing

Jon Rust

Elastic expects JSON. There is no variable type IP in JSON

wcall_cribl

<@ULBGHDPNY&gt; then how would you explain the convert command in filebeat to convert to a type of IP? https://www.elastic.co/guide/en/beats/filebeat/current/convert.html

Jon Rust

> The `ip` type is effectively an alias for `string`, but with an added validation that the value is an IPv4 or IPv6 address.

itsjustjordyn

You could do a couple of things @wcall_cribl on the Elastic side for this…

Option 1.

You could set srcIP to type IP through the mappings (i.e. component + index template).

https://www.elastic.co/guide/en/elasticsearch/reference/current/index-templates.html

Option 2.

If you don't need to keep the name srcIP and can change the field name to something already defined in ECS like source.ip, then Elasticsearch would read it as an IP. https://www.elastic.co/guide/en/ecs/current/ecs-source.html#field-source-ip