I'm using logstash to index mongodb documents into ES. every thing goes well but the location object is not indexed. I defined a template mapping as geo_point as follow :
Do you see any ERROR OR WARN in your Logstash log when you try to index the document? Is your time filter in Discover tab correctly set to show the time the document was set to indexed at?
Time filter in discover is ok and I see my documents but without arrival_in.
there is 4 WARN lines in log :
[2020-04-27T11:16:22,808][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
...
[2020-04-27T11:16:43,563][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2020-04-27T11:16:43,680][INFO ][logstash.outputs.elasticsearch][main] ES Output version determined {:es_version=>7}
[2020-04-27T11:16:43,688][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
[2020-04-27T11:16:43,762][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ParNew"}
[2020-04-27T11:16:43,776][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ConcurrentMarkSweep"}
[2020-04-27T11:16:43,805][INFO ][logstash.outputs.elasticsearch][main] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2020-04-27T11:16:43,968][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.specialized.RubyArrayOneObject) has been create for key: cluster_uuids. This may result in invalid serialization. It is recommended to log an issue to the responsible developer/development team.
I ran your log over my Logstash docker and here are a few problems that I see:
Your response from your mongodb query is an array of JSON docs (from what I can see in your response). Your filter plugin does not address this. Assuming you want each of those JSON docs indexed as a separate doc in Elasticsearch, you need to loop over that array.
After you do 1, you need to use json { source => "message" }, this will make sure each JSON entry gets parsed as a JSON doc. This should let your arrival_in field get indexed as a geo_point.
Your arrival_at and departure_at are both nested json fields while your mappings expects them to be of type date so there is clear conflict there. You need to pull those fields out and bring them to the root. Here is the error I got when I tried to index it.
logstash | [2020-04-27T12:14:32,277][WARN ][logstash.outputs.elasticsearch][main] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"trip-3-2020.04.27", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x512dda17>], :response=>{"index"=>{"_index"=>"trip-3-2020.04.27", "_type"=>"_doc", "_id"=>"JLyPu3EBaCCXfMYpcRQ4", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [arrival_at] of type [date] in document with id 'JLyPu3EBaCCXfMYpcRQ4'. Preview of field's value: '{$date=2019-03-18T18:08:17Z}'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:45"}}}}}
Thank you again, I can do that and loop over my array, but how can you explain why all other field are well mapped (text, string and number fields) but not the GPS coordinates one.
I think that eLogstash and ES consider them as separate doc because I get the right number of doc in ES after logstash finishing his processing (647 doc indexed), the right doc count.
I tested it manuelly, I mean I inserted one of those doc using dev console of kibana and it works well and arrival_in is recognized as geo_point.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
