Could not index event to Elasticsearch, mapper [geoip.location] of different type

Hi All
I have configured logstash and elasticsearch v7.8.
This is the logstash part

    geoip {
        source => "[iis][access][client_ip]"
    }

Index template:

GET /_template/iis

{
  "iis" : {
    "order" : 0,
    "version" : 60001,
    "index_patterns" : [
      "iis-*"
    ],
    "settings" : {
      "index" : {
        "number_of_shards" : "1",
        "number_of_replicas" : "0",
        "refresh_interval" : "5s"
      }
    },
    "mappings" : {
      "dynamic_templates" : [
        {
          "message_field" : {
            "path_match" : "message",
            "mapping" : {
              "norms" : false,
              "type" : "text"
            },
            "match_mapping_type" : "string"
          }
        },
        {
          "string_fields" : {
            "mapping" : {
              "norms" : false,
              "type" : "text",
              "fields" : {
                "keyword" : {
                  "ignore_above" : 256,
                  "type" : "keyword"
                }
              }
            },
            "match_mapping_type" : "string",
            "match" : "*"
          }
        }
      ],
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "geoip" : {
          "dynamic" : true,
          "properties" : {
            "ip" : {
              "type" : "ip"
            },
            "latitude" : {
              "type" : "half_float"
            },
            "location" : {
              "type" : "geo_point"
            },
            "longitude" : {
              "type" : "half_float"
            }
          }
        },
        "@version" : {
          "type" : "keyword"
        }
      }
    },
    "aliases" : { }
  }
}

Logstash logs:

[2020-09-02T09:53:22,106][WARN ][logstash.outputs.elasticsearch][main][e259a9c61a106fc2c0d1e50f28fad160c27a1537f119152edc21384c300f32c1] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"iis-2020.09.02", :routing=>nil, :_type=>"%{type}"}, #<LogStash::Event:0x7397c590>], :response=>{"index"=>{"_index"=>"iis-2020.09.02", "_type"=>"%{type}", "_id"=>"Hqw8TnQBA0raPCFaMvi1", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"mapper [geoip.location] of different type, current_type [geo_point], merged_type [ObjectMapper]"}}}}

image

Can someone let me know what am i doing wrong here?

Welcome to our community! :smiley:
Please don't post pictures of text, they are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them.

What exactly is that last image, a sample document or what's in Kibana?

Correction:
The data you are sending is nested under location, yet your mapping does not have that data nested.

Your mapping has:
geoip.location as geo point

You are sending:
geoip.location.lon
geoip.location.lat

I would correct the mapping to include those fields.

Not likely, because;

1 Like

Here is a full event

{
  "service": {},
  "@version": "1",
  "iis": {
    "access": {
      "client_ip": "107.209.XXX.XX",
      "remote_ip": "10.180.4.7",
      "server_ip": "10.180.25.22",
      "request_time_ms": "597",
      "user_agent": {
        "os_name": "Windows",
        "version": "84.0.4147",
        "name": "Chrome",
        "original": "Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.135+Safari/537.36",
        "device_name": "Other"
      },
      "referrer": "https://domain.com",
      "sub_status": "0",
      "method": "GET",
      "url": "/connect",
      "win32_status": "64",
      "time": "2020-09-03 07:40:51",
      "query_string": "transport=hidden",
      "user_name": "user@domain.com",
      "port": "80",
      "response_code": "200"
    }
  },
  "@timestamp": "2020-09-03T07:40:51.000Z",
  "geoip": {
    "region_code": "GA",
    "ip": "107.209.XX.XX",
    "latitude": 34.0389,
    "country_name": "United States",
    "location": {
      "lat": 34.0389,
      "lon": -84.3826
    },
    "postal_code": "30075",
    "continent_code": "NA",
    "longitude": -84.3826,
    "city_name": "Roswell",
    "dma_code": 524,
    "region_name": "Georgia",
    "country_code2": "US",
    "country_code3": "US",
    "timezone": "America/New_York"
  },
  "log": {
    "offset": 1772867,
    "file": {
      "path": "C:\\inetpub\\logs\\LogFiles\\W3SVC2\\u_ex200903_x.log"
    }
  },
  "input": {
    "type": "log"
  },
  "event": {
    "module": "iis",
    "dataset": "iis.access",
    "timezone": "-04:00"
  },
  "read_timestamp": "2020-09-03T07:41:17.719Z",
  "agent": {
    "version": "7.8.1",
    "hostname": "web01"
  },
  "ecs": {},
  "host": {},
  "fileset": {
    "name": "access"
  }
}

According to https://www.elastic.co/guide/en/elasticsearch/reference/7.8/geo-point.html geoip.location used in my example as "Geo-point as an object" and there is no need to set mapping for geoip.location.lat and geoip.location.lon. Is that correct?