Cloudflare IP fields are set as string instead of IP

[joberthar]

When Cloudflare logs are ingested through the Lambda function, the ClientIP, EdgeServerIP, and OriginIP fields are brought in as a string instead of an IP address. This means that the field cannot be queried as an IP address, and so it prevents using cidr notation in the query e.g., ClientIP:(172.16.0.0\/12)

The lambda function should be updated to set the string to an IP.

[kroepke]

Hi!

The function sends GELF and it has no concept of data types at the moment.
In order to force the field into an IP address, you probably need to create a custom index mapping template for them.
I don't believe the S3 lambda can do anything about it, but I'll leave it open just in case someone has a different solution.