ELK-5.3.1 Kibana Tile map - No Compatable Fields: geo_point

lewis15 · April 22, 2017, 3:12pm

Running ELK Stack 5.3.1
I am unable to create a Tile map because Kibana is defaulting to Field geo-point.
I have not been able to fine anything in the logs that makes any sense to me about what is wrong.
Sorry, no programing experience with Servers/PCs. Any help is appreciated

Picture1

Screen shot of missing geoip.location

This screen shot has a geoip.location

Event_data.IpAddress & geoip.location are available

Empty geoip.location

Some event logs have an IP address in the log & some do not have an IP Address. This is normal for Windows Event Logs. Windows produces a huge number of event logs for a single logon. Some have some good information & some have blank fields

Geoip selections available

Logstash config file

Thanks
Lewis

warkolm · April 24, 2017, 1:47am

We just posted a blog about this topic that may help - https://www.elastic.co/blog/geoip-in-the-elastic-stack

spalger · April 24, 2017, 10:34pm

You also might need to refresh the field mappings in the Index Pattern (open your winlogbeat-* index pattern and click the little refresh button

lewis15 · May 2, 2017, 3:00pm

I must be doing something incorrectly./wrong. After refreshing or
rewriting the winlogbeat-* index the fields remain the same 371 & no geoip
field anywhere. Using the Console & the information in
https://www.elastic.co/guide/en/elasticsearch/plugins/5.3/using
-ingest-geoip.html I have almost the same results as indicated in the
document. The differences are minor - the line locations of the
information are not identical, but the information is the same. I do not
have anything like geo-point.
in any of my test systems that I am using to solve this problem.

Thanks for your help . I have learned a lot, but I am missing something.

spalger · May 2, 2017, 8:33pm

Are you refreshing/rewriting in elasticsearch? I was talking about in the Kibana Management app, choose "Index Patterns", then winlogbeat-* in the left column, and click the refresh button on the right hand side to refresh Kibana's cache of your fields

lewis15 · May 2, 2017, 10:27pm

Yes, that is what I did.

lewis15 · May 2, 2017, 10:58pm

Winlogstash1 is the management #1
Winlogstash2 select Add New
Winlogstash3 change from logstash-* to winlogstbeat-*
Winlogstash4 selected refresh fields I also saved a new index by removing
check in Index contains time based events..Had 371 fields, rechecked Index
contains time based events & saved, again only 371 events.

lewis15 · May 18, 2017, 11:51am

Using https://www.elastic.co/blog/geoip-in-the-elastic-stack, I am stuck at
:

Next, we can save this pipeline to Elasticsearch
https://www.elastic.co/guide/en/elasticsearch/reference/5.3/put-pipeline-api.html,
set a template to make sure that the geoip valures are treated as a and
then use Filebeat to push data directly to our cluster for ingestion and
storage, with our added geoip info being added automatically!
Am I suppose to make any changes to:

PUT _ingest/pipeline/my-pipeline-id{
"description" : "describe pipeline",
"processors" : [
{
"set" : {
"field": "foo",
"value": "bar"
}
}
]}

If so, I don't know what fields to change or what.

Also how do I set a template?

Thanks.

system · June 15, 2017, 11:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Missing Geo_point field in geohash aggregate -! Kibana 4.5 Elasticsearch	8	3730	January 10, 2017
Geoip.location not showing in Kibana Logstash elastic-stack-graph	6	2802	May 13, 2019
GeoIP doesn't work on ELK stack Elasticsearch	5	815	November 30, 2017
Map geoip.location to geo_point by default Logstash	5	4048	July 6, 2017
Need help with geo_point index mappings Elasticsearch	4	668	April 15, 2017

ELK-5.3.1 Kibana Tile map - No Compatable Fields: geo_point

Related topics