Geo_point missing

Elastic Stack Logstash
1

Hello,

I saw a lot of questions and solutions for this issue in the forums, but no one of them solves my problem so I decided to ask.

My question is about the geo_point, Kibana is telling this message when I'm trying to create a title map:
index pattern does not contain any of the following field types: geo_point

And why I'm asking than in the Logstash forum? because I think the problem are in the Logstash side.

my pattern looks like this:

filter {
    if [type] == "nginx-access" {
        grok {
            patterns_dir => ["/opt/logstash/patterns"]
            match => [ "message" , "%{NGINXACCESS}"]
            overwrite => [ "message" ]
        }

        geoip {
            source => "clientip"
            add_field => [ "[geoip][location]", "%{longitude}" ]
            add_field => [ "[geoip][location]", "%{latitude}" ]
        }

        date {
            match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
        }

         mutate {
            convert => ["response", "integer"]
            convert => ["bytes", "integer"]
            convert => ["responsetime", "float"]
            convert => [ "[geoip][location]", "float" ]
        }

        useragent {
            source => "agent"
        }
   }
}

  output {
    if [type] == "nginx-access" {
        elasticsearch {
            hosts => ["elasticsearch:9200"]
            index => "nginx-access-%{+YYYY.MM.dd}"
            template_name => "logstash"
        }
    }
}

The geoip filter is working nicely because the tag _geoip_lookup_failure is not appearing in the trace logs that have a correct IP.

I tried with and without the lines:

add_field => [ "[geoip][location]", "%{longitude}" ]
add_field => [ "[geoip][location]", "%{latitude}" ]
convert => [ "[geoip][location]", "float" ]

Also with and without

 template_name => "logstash"

any hint about why geo_poin is not in the index?

PS: other simple question there is a simple way to block the geoip filter if the IP is from localhost?

UPDATE: if I don't use the custom index and I use the default index it works good, so I think is some trouble with the template_name, but not idea what is the problem.

2

UPDATE: if I don't use the custom index and I use the default index it works good, so I think is some trouble with the template_name, but not idea what is the problem.

Not the template name but the template pattern. The default index template that ships with Logstash matches indexes named logstash-*. You have to supply another index template that matches your indexes (or manage the templates completely outside Logstash).

3

Ok thanks for the hint.

I'm reading this documentation https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html, but still have some doubts, there is an easy way to propagate the template pattern of logstash to the other indexes? so I don't need to define the template_name? is possible to add in the template field a wildcard or something like this?

1 Like
4

Sorry, I don't understand the question.

5

Ok, let check If I can explain it in another way.

Is a way to tell to the logstash template pattern that not only match the index lostash-*, also my customs indexes?

like:

PUT _template/logstash
{
  "template": "*",
}
6

Oh. Sure, you can configure the template pattern to match all indexes as in your example, but I don't think you can say "logstash-* and otherindex-*". Then you need to install two different templates.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.