GeoIP doesn't work on ELK stack

Elastic Stack Elasticsearch
1

Hi there,
Im using ELK stack to parse nginx log and visualize it on Kibana with geoip on Codinate map.
But i got the error as below when using Elasticsearch version 5.5.2, but not Elasticsearch version 5.4.1:
No Compatible Fields: The "filebeat-*" index pattern does not contain any of the following field types: geo_point

In ES ver 5.4.1:

"geoip" : {
	"properties" : {
	  "continent_name" : {
		"type" : "keyword",
		"ignore_above" : 1024
	  },
	  "country_iso_code" : {
		"type" : "keyword",
		"ignore_above" : 1024
	  },
	  "location" : {
		"type" : "geo_point"
	  }
	}
  },

In ES ver 5.5.2, i can't find value "geo_point", also field "location"

Could someone help me to understand for this case?

2

FYI we’ve renamed ELK to the Elastic Stack, otherwise Beats feels left out :wink:

Did you do an upgrade, or is this a separate stack? Is that code the mapping? What does the 5.5.2 mapping look like? What does your filebeat config look like?

3

The following is my logstash configuration:

input {
	beats {
	       port => 5044
	       client_inactivity_timeout => 120
	}
}
filter {
	grok {
		match => {
			"message" => '%{IPORHOST:node_elk_ip} - - \[%{HTTPDATE:[request_info][time]}\] "%{WORD:[request_info][method]} %{DATA:[request_info][API]} HTTP/%{NUMBER:[request_info][http_version]}" %{NUMBER:[request_info][response_status]} %{NUMBER:[request_info][bytes]} "%{DATA:[request_info][referrer]}" "%{DATA:agent}" "%{IP:[user_request][user_IP]}" "%{NUMBER:[user_request][request_time]}" "%{DATA:[user_request][upstream_response_time]}" "%{DATA:[user_request][user_role]}"'
		}
		remove_field => "message"
	}

	geoip {
		source => "[user_request][user_IP]"
		target => "geoip"
	}
	useragent {
		source => "agent"
		target => "user_agent"
		remove_field => "agent"
	}
    
}
output {
	#stdout { codec => rubydebug }
	elasticsearch {
		hosts => ["localhost:9200"]
		#sniffing => true
		manage_template => false
		index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
		document_type => "%{[@metadata][type]}"
	}
}
4

Can you share a typical document that is indexed in elasticsearch?

5

This issue was resoleved. I changed index from "%{[@metadata][beat]}-%{+YYYY.MM.dd}" to "logstash-%{+YYYY.MM.dd}".

Thank you .

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.