Could not locate that index-pattern-field (id: iis.access.geoip.location)

Hi guys,

Using Elastic Stack : 6.4.0

I am currently reading in IIS logs and trying to get geoIP filtering to work with Kibana, however I am quite stuck at the moment.

When navigating to:

image1689×325 29.5 KB

The following message is diplayed:

image1614×988 55.7 KB

Could not locate that index-pattern-field (id: iis.access.geoip.location)

Moreover, the following errors are displayed when navigating to Dashboard:

image1876×1053 146 KB

I suspect that geoIP might be causing trouble. I have tried to follow the related topic:

But was unable to follow through, more specifically, how to access and specify/modify index templates in Windows.

We have the following inside our logstash pipeline.conf :

geoip {
  "source" => "iis.access.remote_ip"
  "target" => "iis.access.geoip.location"
}

Executing in DeV Tools console:

GET /_template/filebeat/

Results in following response (the response for /logstash/ is identical, except for the name of the first key):

{
  "filebeat": {
    "order": 0,
    "index_patterns": [
      "filebeat-*"
    ],
    "settings": {
      "index": {
        "number_of_shards": "2",
        "number_of_replicas": "1"
      }
    },
    "mappings": {
      "my_type": {
        "dynamic": "true",
        "properties": {
          "geoip": {
            "dynamic": true,
            "properties": {
              "location": {
                "type": "geo_point"
              }
            }
          }
        }
      }
    },
    "aliases": {}
  }
}

the visState for Access Map [Filebeat IIS] Visualization Object:

{
  "type": "tile_map",
  "params": {
    "mapCenter": [
      0,
      0
    ],
    "mapZoom": 2,
    "wms": {
      "enabled": false,
      "options": {
        "transparent": true,
        "format": "image/png"
      }
    },
    "legendPosition": "bottomright",
    "heatClusterSize": 1.5,
    "mapType": "Scaled Circle Markers",
    "isDesaturated": true,
    "addTooltip": true
  },
  "aggs": [
    {
      "params": {},
      "type": "count",
      "enabled": true,
      "id": "1",
      "schema": "metric"
    },
    {
      "params": {
        "field": "iis.access.geoip.location",
        "isFilteredByCollar": true,
        "precision": 2,
        "autoPrecision": true,
        "useGeocentroid": true
      },
      "type": "geohash_grid",
      "enabled": true,
      "id": "2",
      "schema": "segment"
    }
  ],
  "title": "Access map [Filebeat IIS]"
}

your help is highly appreciated.
Please let me know if you would like any additional information. Thanks in advance!

That's suggesting that the index pattern defined for the dashboard is iis.access.geoip.location, so it's not talking about the field.

What does _cat/indices?v show?

Hi Mark,

thanks for your input.
_cat/indices?v outputs:

health status index                           uuid                   pri rep docs.count docs.deleted store.size pri.store.size
yellow open   metricbeat-6.3.2-2018.08.21     phlmx7wPR_eNbPFpGdL02g   1   1          3            0      6.1kb          6.1kb
yellow open   filebeat-6.3.2-2018.08.14       dK7-ZKmtTOav5FTorFWhOw   5   1      29940            0     16.4mb         16.4mb
yellow open   metricbeat-6.3.2-2018.08.29     jkcBGKJhRQWbEQMJRGivzg   1   1      70318            0     12.1mb         12.1mb
yellow open   filebeat-6.4.0-2018.08.12       ApTVfIIHRDecyc7hQGQquQ   2   1          0            0       522b           522b
green  open   .monitoring-es-6-2018.08.17     r5WLKtmVRNyS8cUa6I1pPg   1   0      46780         1267     24.3mb         24.3mb
yellow open   filebeat-6.4.0-2018.08.09       t3_uf36uQ-6JaM8LCh6enw   2   1          0            0       522b           522b
yellow open   metricbeat-6.3.2-2018.08.20     7zY4AJdBSLSkBbvifkniIQ   1   1       4142            0    738.3kb        738.3kb
yellow open   filebeat-6.4.0-2018.07.30       c_00vopNRLGe5juOYOQsdg   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.14       faK03uThTfOGKQtnbmVbbw   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.25       dSBR-bB3SYWJDHHrvrqFpQ   2   1          0            0       522b           522b
yellow open   filebeat-6.3.2-2018.08.02       220QRuB5TJu9ZdxYbtYi2Q   5   1      28150            0     14.6mb         14.6mb
yellow open   filebeat-6.4.0-2018.07.31       MyYF5xtFQpCR1v--1Rz3Cg   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.21       vYp8Wew4Tl6qA71jMVatvQ   2   1          0            0       522b           522b
green  open   .monitoring-es-6-2018.08.16     jOx9_AHYTgWD-ZhZB4aOeA   1   0      49043          531     23.5mb         23.5mb
yellow open   filebeat-6.4.0-2018.08.07       BMQ2RkuyThu30wj4StriRw   2   1          0            0       522b           522b
yellow open   filebeat-6.3.2-2018.07.30       wBp2HEyvQoGUVhsDFnqFCQ   5   1        502            0      1.3mb          1.3mb
yellow open   filebeat-6.4.0-2018.08.20       WTzwMYZ9R0O-Sc6-vq4h_Q   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.18       Nz5ilZCTSCiRYU3Nns5IhA   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.26       Dxnxzr-eS7uWo4t3XbynbA   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.29       mNbtvT92QUGPocfdzy8WRw   2   1          0            0       522b           522b
yellow open   filebeat-6.3.2-2018.08.07       t0BdqBWJQUSemQdMqZ2xrA   5   1      25238            0       13mb           13mb
yellow open   filebeat-6.4.0-2018.08.08       PUy4_6nSRF6Bhp_MJsN6lQ   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.04       h86Tk57EQq6hPVv8fW-KAg   2   1          0            0       522b           522b
yellow open   filebeat-6.3.2-2018.08.13       5XiI94WkQo2qdlpsKlmjpA   5   1      15748            0      8.8mb          8.8mb
green  open   .monitoring-kibana-6-2018.08.15 XPjMVrT7SaCY7TwHpjic3Q   1   0       1117            0    417.3kb        417.3kb
yellow open   filebeat-6.3.2-2018.08.15       UpioDMlWQOmjZq3f8YygjQ   5   1      23685            0     12.5mb         12.5mb
yellow open   filebeat-6.3.2-2018.08.05       DNCdcaplRiWl8l9wyTCPfg   5   1       7102            0      4.2mb          4.2mb
yellow open   filebeat-6.4.0-2018.08.02       RSKL2zAeRGi8rgWJaV184A   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.24       HPWky2wXTjW1QtyzC1E9xA   2   1          0            0       522b           522b
yellow open   filebeat-6.3.2-2018.07.31       UFJ6ahKqSbuGMDZYz6OS-A   5   1      37830            0     19.6mb         19.6mb
green  open   .monitoring-kibana-6-2018.08.28 1MggRPOhSBCRsjIwy1vllg   1   0        276            0    134.5kb        134.5kb
yellow open   filebeat-6.4.0-2018.08.23       l7UJfcrFTtK7BmDzXFNh8w   2   1          0            0       522b           522b
green  open   .kibana                         VZA0e8C-QOypywcBAoykuA   1   0        158            2    161.4kb        161.4kb
yellow open   metricbeat-6.3.2-2018.08.17     5YMILqJmT4631VsKBkPeGg   1   1      38645            0      6.5mb          6.5mb
yellow open   filebeat-6.3.2-2018.08.08       ShMF-dELSbO94pDNZY30fQ   5   1      29520            0       16mb           16mb
yellow open   filebeat-6.4.0-2018.08.28       ebA8oBagQ6ClW_CSWRn_FA   2   1          0            0       522b           522b
green  open   .monitoring-kibana-6-2018.08.16 A6QTVk9lSTKJnTYdI64UjA   1   0       2093            0    671.1kb        671.1kb
yellow open   filebeat-6.4.0-2018.08.06       TS-6dfIIRFOgT1lQPuuGtQ   2   1          0            0       522b           522b
yellow open   filebeat-6.4.0-2018.08.19       FpP5A1YaQ5qmm82kdtCBVA   2   1          0            0       522b           522b
green  open   .monitoring-es-6-2018.08.30     MCBtZ4tAS2iRdXS4-_GxUQ   1   0        860          614    415.7kb        415.7kb
yellow open   filebeat-6.3.2-2018.08.12       jQICoYg8Q8utBNUVkiljJQ   5   1        338            0      1.1mb          1.1mb
green  open   .monitoring-es-6-2018.08.28     eYhKXmCFQ56JSPE00UzVJg   1   0      11112          945      5.8mb          5.8mb
green  open   .monitoring-es-6-2018.08.29     G8Num9IORkydhCVRRShs1A   1   0     174531        15812     74.6mb         74.6mb
yellow open   metricbeat-6.3.2-2018.08.16     o-M_m3AkTouT63SYjGijRA   1   1      34818            0      6.1mb          6.1mb
green  open   .monitoring-kibana-6-2018.08.29 coq-xJhbQq-aR03RH264CQ   1   0       2707            0      798kb          798kb
yellow open   http:                           FZGdjZr_RriwzClmNvthpQ   5   1          0            0      1.2kb          1.2kb
yellow open   filebeat-6.4.0-2018.08.05       yVbOwN2KTcGxNgb6Z6Bp5w   2   1          0            0       522b           522b
yellow open   filebeat-6.3.2-2018.08.09       5Xb5WptdQNCMWdW6-kARJw   5   1       5134            0      3.7mb          3.7mb
yellow open   filebeat-6.4.0-2018.08.22       yypLDUC8Tn2xC5Tj_TklcA   2   1          0            0       522b           522b
yellow open   metricbeat-6.3.2-2018.08.30     Lxj4ZRx0R2CrI8WV8uJTww   1   1          0            0       230b           230b

Notice there are filebeat indices, but also metricbeat (i stripped some entries due to 7000 char limit). I am not sure why since I only run filebeat. I added more log files to process (IIS) yesterday, it seems they have not been counted,

tnx in advance

To follow up,

It turns out a windows service was running for 6.3.2 versions, which ads to the additional indices. Turning this off results in all 6.4.0 indices. I am having an even bigger problem now (unable to load logs, due to mapping conflicts, no idea how to restore everyting), but this is a different topic.

Thanks in advance for your help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.