[BUG] type [ip] not supported, cannot convert field

[sbillo]

Describe the bug
Hi, I need to create an Ingest Pipeline where the input data is in this format: “winlog.event_data.DestinationIp”, using the processor convert I should get the format: “destination ip” whose type is: “type”: “ip”, but I get the error: “type [ip] not supported, cannot convert field”, although consulting the Opensearch documentation, the “type”:“ip” is an expected field.

To Reproduce
Place this convert in json pipeline to send to opensearch:

“convert”: {
“field”: “winlog.event_data.DestinationIp”,
“ignore_failure”: true,
“ignore_missing”: true,
“target_field”: “destination.ip”,
“type”: “ip”
}

The error is:

“type”: “parse_exception”,
“reason”: “[type] type [ip] not supported, cannot convert field.”,
“processor_type”: “convert”,
“property_name”: “type”
…

NOTE: if use “string” instead of “ip”, all works fine. But i need “ip” 🥲

[msfroh]

@sbillo, could you please clarify the high-level behavior you're observing and the desired behavior?

My understanding is that the ip field type accepts string values, and indexes them as IP addresses. So, with the string converter, I believe that valid IP addresses should get indexed correctly, if the field mapping specifies that the field has the ip type.

Is your goal to use the convert processor as a way to only do the conversion if the value is a valid IP address? (I'm assuming that's the case, given the "ignore_failure" : true part.) If that's the case, it's a gap in the convert processor that we should fix.

Thanks!

[mingshl]

@sbillo, trying to follow up with the question above?

[sbillo]

Hi msfroh, sorry for the delay in replying.
I confirm that the problem is converting the value into IP address, through the "processor".
Even passing the directive: "ignore_failure" : true, it returns the error: type [ip] not supported.
If I pass the value to the processor and ask for an output string, there are no problems, but I need the parsed field as a real "IP"

[msfroh]

@sbillo What is the field type in your mapping? Did you define a mapping for your index up front or is the goal here to auto-create the field with type IP?

If you pass a string value to a field defined with type IP in the mapping, it should get parsed as an IP value, since that behavior should come from the field type, not the processor. In that case, I don't think a convert processor with type IP would actually do any converting, but rather it could validate that the given input is a valid IP before copying it over to the target field. Functionally, it would behave like the string processor, but with validation.

Sorry for all the questions -- I just want to make sure that we fix this the right way!

[msfroh]

Assuming converting to string works.

@sbillo, please feel free to reopen if you still need something to be able to convert to an ip field.