Facing Issue in converting geoip.location to geo_point datatype

Rakesh_Thangapandian · December 11, 2018, 3:33pm

Hi Community Members,

I have tried to generate the visualization using coordinate maps in kibana from nginx server logs which is streamed in elasticsearch storage, since i failed in type casting geo_point datatype properly for geoip.location field i was not able to generate reports.

After researching on web, I have configured my logstach filter plugin like below, but it haven't worked out properly

LoGSTACH CONFIG FILE:

input {
  beats {
    port => 5044
  }

}

filter {

if [fileset][name] == "access" {
grok {
match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
overwrite => [ "message" ]
}

  
geoip {
source => "clientip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
add_tag => [ "nginx-geoip" ]
}

mutate {
    convert => ["response", "integer"]
    convert => ["bytes", "integer"]
    convert => ["responsetime", "float"]
    convert => [ "[geoip][coordinates]", "float"]
    }

date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}



useragent {
      source => "user_agent"    
}
}

else if [fileset][name] == "error" {
grok {
match => [ "message" , "(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<client>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host: %{QS:host})?(?:, referrer: \"%{URI:referrer}\")"]
overwrite => [ "message" ]
}
 

geoip {
source => "client"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
add_tag => [ "nginx-geoip" ]
}
 
mutate {
    convert => [ "[geoip][coordinates]", "float"]
   }

date {
match => [ "timestamp" , "YYYY/MM/dd HH:mm:ss" ]
remove_field => [ "timestamp" ]
}
}

output {
if [fileset][name] == "access" {
elasticsearch {
		hosts => "elasticsearch:9200"          
		index => "nginx-access"       
	}
}
else if [fileset][name] == "error" {
elasticsearch {
		hosts => "elasticsearch:9200"          
		index => "nginx-error"       
	}
}
}

Any Help will be greatly appreciated...

Thank You!

chandra0651 · December 11, 2018, 6:18pm

mutate {
                add_field => {
                "MLGeo" => "%{[geoip][latitude]}, %{[geoip][longitude]}"
                    }
                     }

I dont think you have to convert the type to float

Rakesh_Thangapandian · December 12, 2018, 2:42pm

Tried the above mentioned changes, still I am getting "No Compatible Fields" in kibana coordinate map visualization, Which wants geo_point type as field

chandra0651 · December 12, 2018, 4:13pm

You need to define mappings for geo point field before the index creation some thing like below

"MLGeo": {
            "type": "geo_point",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }

system · January 9, 2019, 4:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to convert to geopoint Logstash	4	2255	July 18, 2017
Geo point in logstash Logstash	9	4337	March 6, 2017
Getting GeoIP field for NGINX Logs Logstash	2	987	July 18, 2020
LogStash, GeoJSON and Kibana Logstash	5	701	July 30, 2021
Geoip filter not creating type geo_point but only string type Logstash	3	288	June 18, 2020

Facing Issue in converting geoip.location to geo_point datatype

Related topics