ASA MAP geo_point


(Mike Methe) #1

I am trying to create a tile map of a cisco-fw index.

This is the error:

This are the fields I can see (I think)


(Mark Walkom) #2

How are the field mapped


(Mike Methe) #3

Thanks for the reply.

I am not sure how to determine that. Kind of new.

I guess I would need to determine:

  1. does the field exist
  2. is the coordinate field mapped to the correct field

Am I on the right track? Any guidance on determining these items?

Thanks


(Mike Methe) #4

Would this work going forward?

copy elasticsearch-template.json
alter "template" : "logstash-"
to
"template" : "cisco-fw
"

If geo_point is as following in this template
"geo_point_fields" : {
"match" : "*",
"match_mapping_type" : "geo_point",
"mapping" : { "type" : "geo_point", "doc_values" : true }

Will all future daily indexes created by cisco-fw have geo_point?


(Mike Methe) #5

Any ideas on getting this working?


(Mark Walkom) #6

That looks good to me!


(Mike Methe) #7

Thanks for the feed back. I can see this in the discovery

Then this when I try to map based on a saved search


(Mike Methe) #8

How can I determine from what template a daily index was created?


(Mike Methe) #9

Attempted a reindex. Nothing

I will summarize:

Output:
output {
if [type] == "cisco-fw" {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
manage_template => true
document_type => "cisco-fw"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}

My understanding is that the document_type will tell elasticsearch what template to use. There are 2 templates at:
/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch
[root@brt1-log01 elasticsearch]# ls -l
total 52
-rw-r--r-- 1 logstash logstash 3385 Apr 7 2016 buffer.rb
-rw-r--r-- 1 logstash logstash 9427 Apr 7 2016 common_configs.rb
-rw-r--r-- 1 logstash logstash 6614 Apr 7 2016 common.rb
-rw-r--r-- 1 logstash logstash 2957 Jan 24 09:14 elasticsearch_tempalte_cisco.json
-rw-r--r-- 1 logstash logstash 2957 Apr 7 2016 elasticsearch-template.json
-rw-r--r-- 1 logstash logstash 3880 Apr 7 2016 http_client_builder.rb
-rw-r--r-- 1 logstash logstash 8716 Apr 7 2016 http_client.rb
-rw-r--r-- 1 logstash logstash 1356 Apr 7 2016 template_manager.rb

Each has the section:
"properties" : {
"@timestamp": { "type": "date", "doc_values" : true },
"@version": { "type": "string", "index": "not_analyzed", "doc_values" : true },
"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"ip": { "type": "ip", "doc_values" : true },
"location" : { "type" : "geo_point", "doc_values" : true },
"latitude" : { "type" : "float", "doc_values" : true },
"longitude" : { "type" : "float", "doc_values" : true }

My understanding is that this create the type geo_point needed for geo mapping.

What am I missing?


(Mike Methe) #10

hmmmm curl -XGET 'http://localhost:9200/_template/cisco-fw?pretty'
returns
{ }

Nothing.


(Mike Methe) #11

Anyone know why the above happens?


(system) #12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.