Geoip conflict when splitting the index by day

testsoft · February 4, 2021, 10:00am

Good afternoon. Please help with the following question. I use the following standard output config:

    elasticsearch {
            hosts => ["localhost:9200"]
            manage_template => false
            index => "syslog-%{+YYYY.MM.dd}"
}

In Logstash filter:

	geoip {
		source => "[http][access][remote_addr]"
		target => "[geoip]"
	}

I create field geoip in syslog-*. Everything works well and I can use the geo map in Kibana, but only until a new day comes. After a new file with a different date appears, the field conflict occurs (pictures in attach):

please help solve this problem, thank you.

lukas · February 4, 2021, 4:14pm

Do you have any index templates set up for syslog-*? You may need to set up an index template [1] to ensure that new indices are mapping the field as IP rather than objects.

[1] Index templates | Elasticsearch Reference [7.10] | Elastic

testsoft · February 5, 2021, 7:27am

Thank You for help, it works!

system · March 5, 2021, 7:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.