ruflin,
Sorry, I don't understand your response. I do use Logstash to split up my log lines.
Here's the filter I'm using to get geoip data:
filter {
if [type] == "apache-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
locale => "en"
target => "@timestamp"
}
geoip {
source => "clientip"
database => "/etc/logstash/GeoLiteCity.dat"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_tag => "geoip"
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
In order to keep my beats indices separate (especially Topbeat and Packetbeat), I've set up output like this:
output {
if [@metadata][beat] {
elasticsearch {
hosts => ["http://10.0.101.101:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
} else {
elasticsearch { hosts => ["10.0.101.101:9200"] }
stdout { codec => rubydebug }
}
}
That gives me the following indices: logstash-, filebeat-, topbeat-, packetbeat-, ... . I can see geoip date in various filebeat log captures, as in the following (sorry for the length of this):
{
"_index": "filebeat-2016.08.26",
"_type": "apache-access",
"_id": "AVbHcdzSCSz4NTRp6VCx",
"_score": null,
"_source": {
"message": "158.130.6.191 - - [26/Aug/2016:11:22:01 -0400] "HEAD /images/ HTTP/1.1" 404 - "-" "Mozilla/5.0 zgrab/0.x"",
"@version": "1",
"@timestamp": "2016-08-26T15:22:01.000Z",
"input_type": "log",
"fields": null,
"type": "apache-access",
"beat": {
"hostname": "myhost.com",
"name": "myhost.com"
},
"source": "/var/log/httpd/access_log",
"offset": 5621849,
"count": 1,
"host": "myhost",
"tags": [
"log",
"beats_input_codec_plain_applied",
"geoip"
],
"clientip": "x.x.x.x",
"ident": "-",
"auth": "-",
"timestamp": "26/Aug/2016:11:22:01 -0400",
"verb": "HEAD",
"request": "/images/",
"httpversion": "1.1",
"response": "404",
"referrer": ""-"",
"agent": ""Mozilla/5.0 zgrab/0.x"",
"geoip": {
"ip": "y.y.y.y",
"country_code2": "US",
"country_code3": "USA",
"country_name": "United States",
"continent_code": "NA",
"region_name": "PA",
"city_name": "Philadelphia",
"postal_code": "19104",
"latitude": 39.9597,
"longitude": -75.1968,
"dma_code": 504,
"area_code": 215,
"timezone": "America/New_York",
"real_region_name": "Pennsylvania",
"location": [
-75.1968,
39.9597
],
"coordinates": [
-75.1968,
39.9597
]
}
},
"fields": {
"@timestamp": [
1472224921000
]
},
"highlight": {
"tags": [
"@kibana-highlighted-field@geoip@/kibana-highlighted-field@"
]
},
"sort": [
1472224921000
]
}
Great. Now how do I visualize this in Kibana? As stated in the OP, I get "No Compatible Fields: The "filebeat-" index pattern does not contain any of the following field types: geo_point" if I use the filebeat- indices, and no output if I use logstash-* indices.