Geo_point : elastisearch 5.6.4 on RPI3

Elastic Stack Elasticsearch
1

Hi, i reset my instance (perfectly running from 4 months) due to design and shard computation issues on this tiny machine. Unfortunately, all is running again as a charm except MAP. I read many blogs, threads but no one give me the solution.

My geoIP filter is running fine (country code, lat, long are ok ) but the MAP is gone... when i select a new map and geo hash i have this item No Compatible Fields: The "logstash-*" index pattern does not contain any of the following field types: geo_point.

Geoip pipeline filter is running and coordinates are filled as well as city, iso_code ? i got this issue one time but i forgot and could not found how i solved !
I tried all the sorcery and need accuracy :grinning: thanks

19
Capture d’écran 2018-05-15 à 18.33.19.png1914×904 33.9 KB

2

here get GET / _mapping
{
"logstash-2018.05": {
"mappings": {
"syslog": {
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CPU": {
"type": "long"
},
"Disk": {
"type": "long"
},
"Port": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RAM": {
"type": "long"
},
"Temp": {
"type": "long"
},
"Varx": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"geoip": {
** "properties": {**
** "city_name": {**
** "type": "text",**
** "fields": {**
** "keyword": {**
** "type": "keyword",**
** "ignore_above": 256**
** }**
** }**
** },**
** "continent_name": {**
** "type": "text",**
** "fields": {**
** "keyword": {**
** "type": "keyword",**
** "ignore_above": 256**
** }**
** }**
** },**
** "country_iso_code": {**
** "type": "text",**
** "fields": {**
** "keyword": {**
** "type": "keyword",**
** "ignore_above": 256**
** }**
** }**
** },**
** "location": {**
** "properties": {**
** "lat": {**
** "type": "float"**
** },**
** "lon": {**
** "type": "float"**
** }**
** }**
** },**
** "region_name": {**
** "type": "text",**
** "fields": {**
** "keyword": {**
** "type": "keyword",**
** "ignore_above": 256**
** }**
}
}
}
},

3

It doesn't look like you have a location field that is mapped correctly. Check out https://www.elastic.co/blog/geoip-in-the-elastic-stack for some guidance on how to resolve this.

4

Hi Mark, I have already read your blog before and re-read again. I am still stuck. I remembered because i am living in sydney too :grinning:

I run the command PUT /.kibana/_mapping/syslog
{
"properties": {
"geoip": {
"properties": {
"location": {
"type": "geo_point"
}
} }
}
}
it return true. i reload but i still have the same message on the map (cf screen shot) .
pipeline filter is running fine too. lat-lon are filled correctly.

"geoip": {
"properties": {
"city_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"continent_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_iso_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"location": {
"properties": {
"lat": {
"type": "float"
},
"lon": {
"type": "float"
}
}
},
"region_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}

29
Capture d’écran 2018-05-18 à 16.00.29.png890×870 46.6 KB

5

Once an index has defined a mapping for a field, you can not change that without reindexing your data. You should add the mapping to an index template so that it will apply to all new indices. You can then reindex your data into new indices and this template will apply and correct your mapping.

6

You are defining a geoip.location field, but the pipeline creates geoip.lat and geoip.lon.

7

reindex your data into new indices:

I created a template my_logs with geo_point using PUT /_template/my_logs.

  • I know how to reindex logstach-* to a new index nlogstash* using Post _reindex

POST _reindex
{
"source": {
"index": "logstash-*"
},
"dest": {
"index": "nlogstash-2018-05",
"version_type": "internal"
}
}

  • but i don't know how to apply the template my_logs to the newindex because when i created a map with nlogstash- i have the same issue with geo_point ?
    22
    22870×726 44.4 KB

PUT /_template/my_logs
{
"template": "logstash-",
"order": 1,
"settings": {
"number_of_shards": 1
},
"mappings" : {
"default" : {
"_all" : {"enabled" : true},
"dynamic_templates" : [ {
"string_fields" : {
"match" : "",
"match_mapping_type" : "string",
"mapping" : {
}
}
} ],
"properties" : {
"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"location" : { "type" : "geo_point" }
}
}
}
}
}
}

8

heya, can you check my last reply please ? thanks :disappointed_relieved:

9

Hi, I created a template adding geo_point. The template is fine. I reindex my old index to a new one but the template does not apply ? might miss something see previous message. thanks in advance. regards

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.