GeoIP doesn't work on ELK stack

vuxuanlai · October 13, 2017, 4:03am

Hi there,
Im using ELK stack to parse nginx log and visualize it on Kibana with geoip on Codinate map.
But i got the error as below when using Elasticsearch version 5.5.2, but not Elasticsearch version 5.4.1:
No Compatible Fields: The "filebeat-*" index pattern does not contain any of the following field types: geo_point

In ES ver 5.4.1:

"geoip" : {
	"properties" : {
	  "continent_name" : {
		"type" : "keyword",
		"ignore_above" : 1024
	  },
	  "country_iso_code" : {
		"type" : "keyword",
		"ignore_above" : 1024
	  },
	  "location" : {
		"type" : "geo_point"
	  }
	}
  },

In ES ver 5.5.2, i can't find value "geo_point", also field "location"

Could someone help me to understand for this case?

warkolm · October 13, 2017, 5:04am

FYI we’ve renamed ELK to the Elastic Stack, otherwise Beats feels left out

Did you do an upgrade, or is this a separate stack? Is that code the mapping? What does the 5.5.2 mapping look like? What does your filebeat config look like?

vuxuanlai · October 13, 2017, 8:00am

The following is my logstash configuration:

input {
	beats {
	       port => 5044
	       client_inactivity_timeout => 120
	}
}
filter {
	grok {
		match => {
			"message" => '%{IPORHOST:node_elk_ip} - - \[%{HTTPDATE:[request_info][time]}\] "%{WORD:[request_info][method]} %{DATA:[request_info][API]} HTTP/%{NUMBER:[request_info][http_version]}" %{NUMBER:[request_info][response_status]} %{NUMBER:[request_info][bytes]} "%{DATA:[request_info][referrer]}" "%{DATA:agent}" "%{IP:[user_request][user_IP]}" "%{NUMBER:[user_request][request_time]}" "%{DATA:[user_request][upstream_response_time]}" "%{DATA:[user_request][user_role]}"'
		}
		remove_field => "message"
	}

	geoip {
		source => "[user_request][user_IP]"
		target => "geoip"
	}
	useragent {
		source => "agent"
		target => "user_agent"
		remove_field => "agent"
	}
    
}
output {
	#stdout { codec => rubydebug }
	elasticsearch {
		hosts => ["localhost:9200"]
		#sniffing => true
		manage_template => false
		index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
		document_type => "%{[@metadata][type]}"
	}
}

dadoonet · October 13, 2017, 9:46am

Can you share a typical document that is indexed in elasticsearch?

vuxuanlai · November 2, 2017, 9:11am

This issue was resoleved. I changed index from "%{[@metadata][beat]}-%{+YYYY.MM.dd}" to "logstash-%{+YYYY.MM.dd}".

Thank you .

system · November 30, 2017, 9:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.