Error when trying to add documents layer to maps

looknleap · August 18, 2020, 10:32pm

I am trying to get a map visualization working, but I get the error: "Couldn't find any index patterns with geospatial fields"

As shown below, I have have the index template setup with a geoip field mapping (2 actually, client_GeoIP and geoip), the logstash output to elasticsearch is set to create geoip fields, and I see what I believe to be correctly created geoip fields in a document.

I don't know what else needs to happen to be able to get this into maps.

Pipeline: WAF --> Logstash --> Elasticsearch

Versions:

Elasticsearch: 7.9.0
Logstash 7.9.0

Here are the relevant fields from a syslog entry in Elasticsearch

"Client_GeoIP": {
  "country_code2": "US",
  "ip": "161.0.10.82",
  "region_code": "NY",
  "longitude": -74.0014,
  "latitude": 40.7503,
  "location": {
    "lon": -74.0014,
    "lat": 40.7503
  },
},
"geoip": {
  "country_code2": "US",
  "ip": "161.0.10.82",
  "longitude": -74.0014,
  "latitude": 40.7503,
  "location": {
    "lon": -74.0014,
    "lat": 40.7503
  },
},

Index Template (Relevant Portion)

...
      "geoip": {
        "dynamic": true,
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
      },
      "Client_GeoIP": {
        "dynamic": true,
        "type": "object",
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
...

Logstash syslog pipeline config (relevant portions)

...
filter {
...
    if ([Client_IP]) {
        geoip { 
            source => "Client_IP"
            target => "Client_GeoIP"
        }
        geoip {
            source => "Client_IP"
        }
    }
}
output {
    elasticsearch {
...
    template_name => "syslog"
    }
}

aaron-nimocks · August 19, 2020, 12:11am

Seems correct. If you made changes after the initial index pattern was created you might need to go refresh it.

looknleap · August 19, 2020, 3:27am

Well shoot, I wish you had not said that. I refreshed the index pattern right now just in case, but it did not change anything.

jsanz · August 19, 2020, 10:11am

Have you checked the conditions listed from the Troubleshoot documentation page. Looks you already did the second, though.

looknleap · August 19, 2020, 2:53pm

Thanks for that. I had not seen that page.
Good(ish) news! It turned out that one of the indices that I reindexed did not get the original index deleted. That fixed the issue with the original Client_GeoIP field. Now I can select the syslog-* index pattern in maps. However, I am now seeing that there are no options in the "select geo field" dropdown.

Edit: I just had to refresh the index pattern and then it worked. Thank you.

jsanz · August 19, 2020, 3:29pm

Glad it worked, cheers!

system · September 16, 2020, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.