kroepke
commented
3 years ago Hi!
The function sends GELF and it has no concept of data types at the moment. In order to force the field into an IP address, you probably need to create a custom index mapping template for them. I don't believe the S3 lambda can do anything about it, but I'll leave it open just in case someone has a different solution.
When Cloudflare logs are ingested through the Lambda function, the ClientIP, EdgeServerIP, and OriginIP fields are brought in as a string instead of an IP address. This means that the field cannot be queried as an IP address, and so it prevents using cidr notation in the query e.g.,
ClientIP:(172.16.0.0\/12)The lambda function should be updated to set the string to an IP.