Coordinate Map

I'm trying to create a coordinate map using the GeoID data. I have the data being properly enriched by logstash and I am able to see the new GeoID fields in each new record as you can see here:

image.png470×1016 49.7 KB

Thats great. I love the log enrichment options. So I go to visualize -> coordinate map and set it up as seen here:

image.jpg2978×1304 515 KB

I'm not really interested in the other map versions yet. I just wanted to get it working with the basic map that is included. However regardless of which settings I try I only get the blank map, no markers ever appear.

At first I thought this might be because of the index data so I checked that out. Initially the GeoID data wasn't there. So I updated it with the refresh fields list button. All the GeoID fields appeared. However this did not change anything regarding my map.

image.png2490×1720 294 KB

So now I"m a bit stuck and not sure how to proceed. I have been able to make other visualizations such as bar charts using the GeoID tags. EX:

image.png2890×1778 261 KB

Here are my logstash config files:
input.config:
input {
stdin {
}
rabbitmq{
host => "localhost"
queue => "queue"
heartbeat => 30
passive => true
durable => true
codec => "json"
}
}
geoip.conf
filter {
geoip {
source => "[computer][external_ip]"
target => "[GeoIP]"
}
}
output.conf:
output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout {
codec => rubydebug
}
}

Thanks in advance for any advise!

Hi,
I can see a string data type for your GeoIP.ip. I would imagine this needing to be of a ip data type. See an example of such from here https://www.elastic.co/blog/geoip-in-the-elastic-stack under the heading Mapping, for Maps.

So I tried to follow that guide. I'm a bit stuck though. I don't see how I am supposed to utilize the template info under Mapping, for Maps. Specificially:

"geoip"  : {
  "dynamic": true,
  "properties" : {
    "ip": { "type": "ip" },
    "location" : { "type" : "geo_point" },
    "latitude" : { "type" : "half_float" },
    "longitude" : { "type" : "half_float" }
  }
}

I'm at a bit of a loss as to how to apply this. I am using logstash directly to add the GeoIP data. and that ip data type is correct set now. I even see the location data in the dictionary format within the json output of a search: EX:

"GeoIP": {
  "country_name": "Peru",
  "ip": "<IP>",
  "location": {
    "lat": -12.0677,
    "lon": -77.0846
  },

I definitely feel I am missing something obvious, just can't seem to put my finger on it as of yet.

I finally figured this out so I wanted to share.
I didn't understand what the problem was until I looked at the JSON output and realized that the coordinates were coming down in a single field, only to be split up by elastic-search into multiple fields. This led me to realize that the dictionary was being parsed because it wasn't an array as well. IE {data, data1} vs [{data, data1}].
Once I realized that I figured there was a problem with my geoIP filter that was causing it. I thought at first that I might need to mutate the data somehow. However I realized that I was setting a target it looked like this:

filter{
geoip {
source => "[computer][external_ip]"
target => "[GeoIP]"
}
}

So i decided to test and see what the result would be if I simply removed the target option
IE:

filter{
geoip {
source => "[computer][external_ip]"
}
}

As soon as I removed the target field, it came out correctly and I was able to begin mapping.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.