Facing Issue in converting geoip.location to geo_point datatype

Rakesh_Thangapandian · December 11, 2018, 3:33pm

Hi Community Members,

I have tried to generate the visualization using coordinate maps in kibana from nginx server logs which is streamed in elasticsearch storage, since i failed in type casting geo_point datatype properly for geoip.location field i was not able to generate reports.

After researching on web, I have configured my logstach filter plugin like below, but it haven't worked out properly

LoGSTACH CONFIG FILE:

input {
  beats {
    port => 5044
  }

}

filter {

if [fileset][name] == "access" {
grok {
match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
overwrite => [ "message" ]
}

  
geoip {
source => "clientip"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
add_tag => [ "nginx-geoip" ]
}

mutate {
    convert => ["response", "integer"]
    convert => ["bytes", "integer"]
    convert => ["responsetime", "float"]
    convert => [ "[geoip][coordinates]", "float"]
    }

date {
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
remove_field => [ "timestamp" ]
}



useragent {
      source => "user_agent"    
}
}

else if [fileset][name] == "error" {
grok {
match => [ "message" , "(?<timestamp>%{YEAR}[./-]%{MONTHNUM}[./-]%{MONTHDAY}[- ]%{TIME}) \[%{LOGLEVEL:severity}\] %{POSINT:pid}#%{NUMBER}: %{GREEDYDATA:errormessage}(?:, client: (?<client>%{IP}|%{HOSTNAME}))(?:, server: %{IPORHOST:server})(?:, request: %{QS:request})?(?:, upstream: \"%{URI:upstream}\")?(?:, host: %{QS:host})?(?:, referrer: \"%{URI:referrer}\")"]
overwrite => [ "message" ]
}
 

geoip {
source => "client"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
add_tag => [ "nginx-geoip" ]
}
 
mutate {
    convert => [ "[geoip][coordinates]", "float"]
   }

date {
match => [ "timestamp" , "YYYY/MM/dd HH:mm:ss" ]
remove_field => [ "timestamp" ]
}
}

output {
if [fileset][name] == "access" {
elasticsearch {
		hosts => "elasticsearch:9200"          
		index => "nginx-access"       
	}
}
else if [fileset][name] == "error" {
elasticsearch {
		hosts => "elasticsearch:9200"          
		index => "nginx-error"       
	}
}
}

Any Help will be greatly appreciated...

Thank You!

chandra0651 · December 11, 2018, 6:18pm

mutate {
                add_field => {
                "MLGeo" => "%{[geoip][latitude]}, %{[geoip][longitude]}"
                    }
                     }

I dont think you have to convert the type to float

Rakesh_Thangapandian · December 12, 2018, 2:42pm

Tried the above mentioned changes, still I am getting "No Compatible Fields" in kibana coordinate map visualization, Which wants geo_point type as field

chandra0651 · December 12, 2018, 4:13pm

You need to define mappings for geo point field before the index creation some thing like below

"MLGeo": {
            "type": "geo_point",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }

system · January 9, 2019, 4:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting GeoIP field for NGINX Logs Logstash	2	982	July 18, 2020
LogStash, GeoJSON and Kibana Logstash	5	698	July 30, 2021
Map geoip.location to geo_point by default Logstash	5	4048	July 6, 2017
Mapping field as geo_point Logstash	3	1526	December 29, 2020
JSON latitude/longitude to geo_point Elasticsearch	5	12493	July 5, 2017

Facing Issue in converting geoip.location to geo_point datatype

Related Topics