Geo_Point field is not coming

Elastic Stack Logstash
1

Hi There, I am trying to parse apache logs using grok. but i am not seeing any geo-point type in my index. Please help.

My template:

{
  "template": "apache_filebeat",
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas" : 0,
      "index.refresh_interval": "5s"
    },
    "mappings": {
      "_default_": {
        "dynamic_templates": [
        {
          "strings": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        }
        ],
        "properties": {
			"geoip": {
				"properties": {
					"city_name":{"type":"string", "index":"not_analyzed"},
					"continent_code":{"type":"string"},
					"country_code2":{"type":"string"},
					"country_code3":{"type":"string"},
					"country_name":{"type":"string", "index":"not_analyzed"},
					"location": {"type": "geo_point"},
					"latitude": {"type": "half_float"},
					"longitude": {"type": "half_float"}
				}
			}
		  "@version": {
			"index": "not_analyzed",
			"type": "string"
		  }
        },
        "_all": {
          "enabled": false
        }
      }
    }
}

and my config file:

input {
  beats {
	port => 5044
  }
}

filter {
  grok {
    match => {
      "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}'
    }
  }

  date {
    match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
    locale => en
  }

  geoip {
    source => "clientip"
  }

  useragent {
    source => "agent"
    target => "useragent"
  }
}

output {
  stdout { }
  elasticsearch {
    hosts => "http://localhost:9200"
    index => "apache_filebeat"
    template => "./filebeat_apache_template.json"
    template_name => "filebeat_apache_template"
    template_overwrite => true
  }
}
2

What do the mappings of an actual index look like? What does an example event from that index look like?

3

hey Magnus, i was able to parse the field as geo_point, so was able to plot a map.

But i have another ques: As seen in above logstash config, clientip would be transformed using grok, but in the template do i need to define the ip field as type 'IP' everytime I want to plot the geo Map???

4

As seen in above logstash config, clientip would be transformed using grok, but in the template do i need to define the ip field as type 'IP' everytime I want to plot the geo Map???

For a map to work you need a geo_point field. Kibana doesn't care about the IP address.

5

But only when i passed this template, would it work. here i am defining both IP and location as specific types.

{
  "template": "apache_filebeat",
    "settings": {
      "number_of_shards": 1,
      "number_of_replicas" : 0,
      "index.refresh_interval": "5s"
    },
    "mappings": {
      "_default_": {
        "dynamic_templates": [
        {
          "strings": {
            "match": "*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed"
            }
          }
        }
        ],
        "properties": {
			"geoip": {
				"properties": {
					"city_name":{"type":"string", "index":"not_analyzed"},
					"continent_code":{"type":"string"},
					"ip": {"type":"ip"},
					"country_code2":{"type":"string"},
					"country_code3":{"type":"string"},
					"country_name":{"type":"string", "index":"not_analyzed"},
					"latitude": {"type": "half_float"},
					"longitude": {"type": "half_float"},
					"location": {"type": "geo_point"}
				}
			},
		  "@version": {
			"index": "not_analyzed",
			"type": "string"
		  }
        },
        "_all": {
          "enabled": true
        }
      }
    }
}

but before that i only defined location field and not the IP field. At that time it wasn't picking the location field.

6

Well, whatever caused the behavior you saw it wasn't the mapping of the IP address field.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.