GeoIP data without geo_point

Ludek · March 3, 2020, 9:02am

I'm not able to create geopoint data With Elastic Stack 6.8.6. Geolocation works, but without geo_point. That means, I cannot use it in Kibana.

This is my Elastic template part:

"geoip"  : {
    "dynamic": true,
    "properties" : {
        "ip": { "type": "ip" },
        "location" : { "type" : "geo_point" },
        "latitude" : { "type" : "half_float" },
        "longitude" : { "type" : "half_float" }
    }
}

Based on the documentation, geo_point should be in geoip.location. But in Elastic I see fields geoip.location.lat and geoip.location.lon. Here is my part of the document:

"geoip" : {
    "country_name" : "United States",
    "continent_code" : "NA",
    "ip" : "40.77.188.XXX",
    "country_code2" : "US",
    "country_code3" : "US",
    "location" : {
        "lat" : 37.751,
        "lon" : -97.822
    },
    "longitude" : -97.822,
    "latitude" : 37.751
}

The only magic in logstash is:

geoip {
    source => "source_ip"
}

Any sugestion what can be wrong in my config?

dadoonet · March 3, 2020, 9:59am

The mapping looks good to me.

If you can't make it work, could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

Ludek · March 3, 2020, 11:28am

There is no script at all. Just receiving logs from Filebeats and Logstash is parsing them. After that I get a field named source_ip, which contains IP (IPv6 or IPv4), I do get GeoIP data with this field:

geoip {
    source => "source_ip"
}

and send it into Elastic:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "webserver-%{[@metadata][beat]}-%{+YYYY.MM.dd.HH}"
        ilm_enabled => true
    }
}

Ludek · March 3, 2020, 2:26pm

This is what I see in Logstash log:

output received {
    ...
    "geoip"=>{
        "ip"=>"77.16.209.XXX",
        "region_code"=>"03",
        "location"=>{"lon"=>10.7487, "lat"=>59.905},
        "postal_code"=>"0001",
        "latitude"=>59.905,
        "timezone"=>"Europe/Oslo",
        "city_name"=>"Oslo",
        "country_code2"=>"NO",
        "continent_code"=>"EU",
        "country_name"=>"Norway",
        "country_code3"=>"NO",
        "longitude"=>10.7487,
        "region_name"=>"Oslo County"
    },
    ...
}

Ludek · March 4, 2020, 2:21pm

It looks like an index conflict of new indices and old ones.

I closed all webserver indices, refreshed index pattern with only new ones and I have geo_point back, in Kibana in geoip.location field.

system · April 1, 2020, 2:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.