Can't using Geoip Apache2

Vi_t_Dung_Vu · January 30, 2018, 9:20am

I can't found apache2.access.geoip.location in Management >> Index Patterns >> fields

This is my filer file

> filter {

        if [type] == "apache_access" {

grok {
        match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
          "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }

        match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} - ( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
          "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }

        remove_field => "message"
      }
      mutate {
        add_field => { "read_timestamp" => "%{@timestamp}" }
      }
      date {
        match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
        remove_field => "[apache2][access][time]"
      }
      useragent {
        source => "[apache2][access][agent]"
        target => "[apache2][access][user_agent]"
        remove_field => "[apache2][access][agent]"
      }
      geoip {
        source => "[apache2][access][remote_ip]"
        target => "[apache2][access][geoip]"
        }

         }
}

warkolm · January 30, 2018, 9:21am

You mean it hasn't created the field?

Christian_Dahlqvist · January 30, 2018, 9:23am

Have you refreshed the index pattern? Can you show a document that has been indexed?

Vi_t_Dung_Vu · January 30, 2018, 9:28am

i've been refresh it

Vi_t_Dung_Vu · January 30, 2018, 9:31am

i can't found apache2.access.geoip.location however i found apache2.access.geoip.location.lon and apache2.access.geoip.location.lat

Christian_Dahlqvist · January 30, 2018, 9:36am

I suspect means that you do not have an index template in place that maps apache2.access.geoip.location as a geo_point, which means that the mapping is not correct. You need to create (or update) an index template that provides this mapping, and then reindex the data into a new index so this mapping change takes effect.

Vi_t_Dung_Vu · January 30, 2018, 9:58am

Hi @Christian_Dahlqvist,
what does that mean? Please guide me!

system · February 27, 2018, 10:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.