Geoip conflict when splitting the index by day

testsoft · February 4, 2021, 10:00am

Good afternoon. Please help with the following question. I use the following standard output config:

    elasticsearch {
            hosts => ["localhost:9200"]
            manage_template => false
            index => "syslog-%{+YYYY.MM.dd}"
}

In Logstash filter:

	geoip {
		source => "[http][access][remote_addr]"
		target => "[geoip]"
	}

I create field geoip in syslog-*. Everything works well and I can use the geo map in Kibana, but only until a new day comes. After a new file with a different date appears, the field conflict occurs (pictures in attach):

please help solve this problem, thank you.

lukas · February 4, 2021, 4:14pm

Do you have any index templates set up for syslog-*? You may need to set up an index template [1] to ensure that new indices are mapping the field as IP rather than objects.

[1] Index templates | Elasticsearch Reference [7.10] | Elastic

testsoft · February 5, 2021, 7:27am

Thank You for help, it works!

system · March 5, 2021, 7:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
IP address mapping conflict Kibana	4	2935	March 29, 2017
Using custom target for geoip filter, how to update Elasticsearch template? Logstash	7	753	April 21, 2018
Geoip.location mapped as double Kibana	10	2823	July 6, 2017
Why my mappings for a index conflict after rebooting elasticsearch? Elasticsearch	2	508	July 5, 2017
Logstash conf - geoIP not workin Logstash	5	340	December 26, 2018

Geoip conflict when splitting the index by day

Good afternoon. Please help with the following question. I use the following standard output config:

In Logstash filter:

Related topics