I am trying to create a tile map of a cisco-fw index.
This is the error:
This are the fields I can see (I think)
I am trying to create a tile map of a cisco-fw index.
This is the error:
This are the fields I can see (I think)
How are the field mapped
Thanks for the reply.
I am not sure how to determine that. Kind of new.
I guess I would need to determine:
Am I on the right track? Any guidance on determining these items?
Thanks
Would this work going forward?
copy elasticsearch-template.json
alter "template" : "logstash-"
to
"template" : "cisco-fw"
If geo_point is as following in this template
"geo_point_fields" : {
"match" : "*",
"match_mapping_type" : "geo_point",
"mapping" : { "type" : "geo_point", "doc_values" : true }
Will all future daily indexes created by cisco-fw have geo_point?
Any ideas on getting this working?
That looks good to me!
Thanks for the feed back. I can see this in the discovery
Then this when I try to map based on a saved search
How can I determine from what template a daily index was created?
Attempted a reindex. Nothing
I will summarize:
Output:
output {
if [type] == "cisco-fw" {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "%{type}-%{+YYYY.MM.dd}"
manage_template => true
document_type => "cisco-fw"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
My understanding is that the document_type will tell elasticsearch what template to use. There are 2 templates at:
/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.5.5-java/lib/logstash/outputs/elasticsearch
[root@brt1-log01 elasticsearch]# ls -l
total 52
-rw-r--r-- 1 logstash logstash 3385 Apr 7 2016 buffer.rb
-rw-r--r-- 1 logstash logstash 9427 Apr 7 2016 common_configs.rb
-rw-r--r-- 1 logstash logstash 6614 Apr 7 2016 common.rb
-rw-r--r-- 1 logstash logstash 2957 Jan 24 09:14 elasticsearch_tempalte_cisco.json
-rw-r--r-- 1 logstash logstash 2957 Apr 7 2016 elasticsearch-template.json
-rw-r--r-- 1 logstash logstash 3880 Apr 7 2016 http_client_builder.rb
-rw-r--r-- 1 logstash logstash 8716 Apr 7 2016 http_client.rb
-rw-r--r-- 1 logstash logstash 1356 Apr 7 2016 template_manager.rb
Each has the section:
"properties" : {
"@timestamp": { "type": "date", "doc_values" : true },
"@version": { "type": "string", "index": "not_analyzed", "doc_values" : true },
"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"ip": { "type": "ip", "doc_values" : true },
"location" : { "type" : "geo_point", "doc_values" : true },
"latitude" : { "type" : "float", "doc_values" : true },
"longitude" : { "type" : "float", "doc_values" : true }
My understanding is that this create the type geo_point needed for geo mapping.
What am I missing?
Anyone know why the above happens?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.