Create properties with wildcard

Elastic Stack Elasticsearch
1

Hi,
In a log from CISCO SFR there are two IP (source and destination) and I want to send with logstash to elasticsearch with geoip information.
The logstash template in elasticsearch has only one property named geoip, and thus for to map a .location to geo_point, I need to crate new mappings for the two geoip_src and geoip_dst properties.
It's possible to create a template with a property like:
"geoip_*" : {
"dynamic" : true,
"properties" : {
"ip" : {
"type" : "ip"
},
"location" : {
"type" : "geo_point"
},
"latitude" : {
"type" : "half_float"
},
"longitude" : {
"type" : "half_float"
}
}
that can be used for all properties like geoip_src, geoip_dst, geoip_whatever... without the need of creating mappings for all the geoip_ variants,

Thank you.

2

Have a look at https://www.elastic.co/guide/en/elasticsearch/reference/6.3/dynamic-templates.html

3

Thank you, I used before this information for create single properties with wildcards but I do not know how to use for create complex properties like geoip.

4

I believe you need to apply it to each individual field with a name like geoip_*.type, geoip_*.location, ...

5

Thank you, I will try in a couple of hours.

6

I tried this, and does not works:
{
"location_as_geopoint": {
"match_mapping_type": "*",
"match": "geoip*.location",
"mapping": {
"type": "geo_point"
}
}
}

7

I changed to:

      {
		"location_as_geopoint": {
		  "match_mapping_type": "*",
          "path_match": "geoip_*.location",
          "mapping": {
            "type": "geo_point"
          }
        }
      }

And now works as desired.

8

Thank you dadoonet for your help.

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.