Error when trying to add documents layer to maps

looknleap · August 18, 2020, 10:32pm

I am trying to get a map visualization working, but I get the error: "Couldn't find any index patterns with geospatial fields"

As shown below, I have have the index template setup with a geoip field mapping (2 actually, client_GeoIP and geoip), the logstash output to elasticsearch is set to create geoip fields, and I see what I believe to be correctly created geoip fields in a document.

I don't know what else needs to happen to be able to get this into maps.

Pipeline: WAF --> Logstash --> Elasticsearch

Versions:

Elasticsearch: 7.9.0
Logstash 7.9.0

Here are the relevant fields from a syslog entry in Elasticsearch

"Client_GeoIP": {
  "country_code2": "US",
  "ip": "161.0.10.82",
  "region_code": "NY",
  "longitude": -74.0014,
  "latitude": 40.7503,
  "location": {
    "lon": -74.0014,
    "lat": 40.7503
  },
},
"geoip": {
  "country_code2": "US",
  "ip": "161.0.10.82",
  "longitude": -74.0014,
  "latitude": 40.7503,
  "location": {
    "lon": -74.0014,
    "lat": 40.7503
  },
},

Index Template (Relevant Portion)

...
      "geoip": {
        "dynamic": true,
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
      },
      "Client_GeoIP": {
        "dynamic": true,
        "type": "object",
        "properties": {
          "ip": {
            "type": "ip"
          },
          "latitude": {
            "type": "half_float"
          },
          "location": {
            "type": "geo_point"
          },
          "longitude": {
            "type": "half_float"
          }
        }
...

Logstash syslog pipeline config (relevant portions)

...
filter {
...
    if ([Client_IP]) {
        geoip { 
            source => "Client_IP"
            target => "Client_GeoIP"
        }
        geoip {
            source => "Client_IP"
        }
    }
}
output {
    elasticsearch {
...
    template_name => "syslog"
    }
}

aaron-nimocks · August 19, 2020, 12:11am

Seems correct. If you made changes after the initial index pattern was created you might need to go refresh it.

looknleap · August 19, 2020, 3:27am

Well shoot, I wish you had not said that. I refreshed the index pattern right now just in case, but it did not change anything.

jsanz · August 19, 2020, 10:11am

Have you checked the conditions listed from the Troubleshoot documentation page. Looks you already did the second, though.

looknleap · August 19, 2020, 2:53pm

Thanks for that. I had not seen that page.
Good(ish) news! It turned out that one of the indices that I reindexed did not get the original index deleted. That fixed the issue with the original Client_GeoIP field. Now I can select the syslog-* index pattern in maps. However, I am now seeing that there are no options in the "select geo field" dropdown.

Edit: I just had to refresh the index pattern and then it worked. Thank you.

jsanz · August 19, 2020, 3:29pm

Glad it worked, cheers!

system · September 16, 2020, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error: Index pattern does not contain any geospatial fields Logstash	1	504	September 20, 2022
The index pattern <INDEX_NAME>* does not contain any of the following compatible field types: geo_point Elasticsearch	12	2449	February 17, 2020
GeoIP data present but cannot be displayed Kibana	10	1631	May 16, 2018
Still has the problem that index pattern does not contain any of the following field types: geo_point Elasticsearch	4	424	November 29, 2018
Could not locate that index-pattern-field (id: iis.access.geoip.location) Kibana	4	1355	October 3, 2018

Error when trying to add documents layer to maps

Related topics