Default parsing of the geoip field: location?

JohanLanderholm · February 5, 2017, 12:28pm

Hi all,

This might be a stupid question, please forgive me.
But I am struggling to get the default mapping for my geoip field location to be changed from float to geo_point, I haven't found out how to do this.

But - is there any reason at all for NOT having the location field mapped as a geo_point type?
Is there any other use for this field than doing geoip calculations?
Is there a technical issue?

I seem to understand that everyone is having an issue with this and it is solved by the default mapping feature. But the documentation on this topic is sub-optimal.

warkolm · February 5, 2017, 7:44pm

This mapping is actually handled in ES against the field.
So what does that look like for your index?

warkolm · February 6, 2017, 12:25am

Also, can you show your config?

JohanLanderholm · February 6, 2017, 6:22am

Thanks for your interest of helping me out.
I identified that many people went back to using the default logstash-* index for the geoip events, and I tried this too. I seems that ES has a default mapping of geo_point for the location field.
This makes my setup work, but my first problem is still that I don't understand the syntax of creating default mappings for new indexes.
Once, I managed to change the mapping of the location field in one index, but it was only for that index, all new (every day!) indexes was created again with the wrong mapping.
So, I just have to learn how this is supposed to be done.
I have been working with other SIEM-like products like Q1Radar, Splunk, TLC, ArcSight and LogPoint, but the architecture is very different with ES to all others.

magnusbaeck · February 6, 2017, 7:13am

Once, I managed to change the mapping of the location field in one index, but it was only for that index, all new (every day!) indexes was created again with the wrong mapping.
So, I just have to learn how this is supposed to be done.

You should define an index template that matches the name of your indexes and applies whatever mappings you want. Then configure Logstash to use your index template or configure Logstash to not care about index templates at all and handle it yourself outside of Logstash.

JohanLanderholm · February 6, 2017, 11:52am

Thanks Magnus,

This is exactly what I would like to learn. But I have failed to do so yet. The documentation is not that clear on how to do this. A lot of the google results are describing old releases of the product, and it seems that it has changed in the later versions. I'm running the 5.2.0.

Is there any documentation or books that will make it easier to learn?

fbaligand · February 6, 2017, 12:07pm

Logstash use a elasticsearch template named "logstash" by default.

I invite you to see it using curl http://localhost:9200/_template/logstash

You can see there how geoip is typed in elasticsearch and update the template so that your location field has the same mapping.

Finally, one question : is your index named like that : logstash-*

JohanLanderholm · February 6, 2017, 1:30pm

Yes, I changed my index from netflow-* to logstash-* and the mapping started working right away.
It's just at matter of me learning how to apply this mapping for my netflow-* index in the same way.

/J

fbaligand · February 6, 2017, 1:56pm

OK.
It's easy to do. In logstash template, you have this : "template": "logstash-*"
Update the template with "netflow-*" and you're done.

system · March 6, 2017, 1:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.