Adding Location Map to Kibana 6

Hi,
I've installed Elastic Stack 6, it monitors a number of servers via Metricbeat and Filebeat (IHS/apache access and error logs). Everything works ok, except for setting up a coordinate map based on the IP address in the IHS/apache access logs.

I created a new mapping containing the geo_point type, but this conflicted with my existing mapping and I ended up in a pickle this morning when logstash wouldn't index because there were two mapping types. I think that I've rectified this conflict now, but I'm back to my original problem of not having geo_point type in my default mapping.

I'm new to Elastic Stack, but from what I've read I understand that I will have to remove existing index files - that's fine. I'm guessing that I somehow need to add the geo_point type to the default template.

This is the snippet from my /etc/logstash/conf.d/12-apache.conf:-1:
geoip {
source => "clientip"
target => "geoip"
database => "/etc/logstash/GeoLite2-City_20171107/GeoLite2-City.mmdb"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}

Thanks, Steve.

Regarding the logstash side, the second add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] will overwrite the first.

Is this your intention?

This blog post from Aaron (ex Logstash, now in Consulting) explains everything IMO. https://www.elastic.co/blog/logstash_lesson_elasticsearch_mapping

And this setting in the Elasticsearch output might help too.
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-manage_template

Thanks for the info. I think that the add_field has been a case of copying something without understanding what is was doing or if it was correct

I'll have a read of the links.

Thanks, Steve.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.