GeoIp don't draw

Alvaro_Jimenez_Carri · November 5, 2018, 3:30pm

Hi,

I'm trying to get a map visualize but kibana don`t show me anything for "coordinate map" and show me the next error for "region maps":

Ensure that each of these term matches a shape on that shape's join field: 200, 301, 404, 409

I receive geoip data from filebeat in elasticsearch logs.

I left here geoip mapping in the elasticsearch index and my logstash filter conf:

gist.github.com

https://gist.github.com/acarrill/a114a73f3c09a473cd4f161949d1ac0d

mapping.yml

	        "geoip": {
          "properties": {
            "city_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }

This file has been truncated. show original

rsys.conf

filter {
  mutate {
    rename => {
        "longitude" => "[location][lon]"
        "latitude" => "[location][lat]"
    }
  }
  if [source] =~ "access" {
    mutate { replace => { "type" => "apache_access" } }
    grok {

This file has been truncated. show original

I have to mention that I had to add the location field manually from kibana dev tools.

Thank you so much!

Aaron_Caldwell · November 5, 2018, 4:23pm

Hello Alvaro,

For the region map, Kibana will expect a reference vector file based with which to share a key for an inner join, for reference see this:

https://www.elastic.co/guide/en/kibana/current/regionmap.html

For a good practical run-through, see this blog:

Having said that, I think a coordinate map is likely what you're looking for here. Regarding your mapping, you'll want to target the geo-point type rather than lat/long floats. You can find more information about this type here:

https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

Once you've loaded your data containing geo-points, you should have no issues displaying them in a Kibana Coordinate Map.

Regards,
Aaron

Alvaro_Jimenez_Carri · November 5, 2018, 5:14pm

Hi Aaron,

I have been looking all documentation u posted, it's looks like I need to change location type to geo_point but I don't find the way to do that. I read that I need reindex, however I only found it applied to change index type and not field type and I haven't very clear how apply it to type of fields changes. I'm new with elk and I'm a little bit loose, I'm sorry and very tankful for the help.

Regards,
Álvaro.

Aaron_Caldwell · November 5, 2018, 8:54pm

I'd recommend re-indexing your data. You'll probably want to walk through both indexing and mappings (mappings will cover specifying field types, such as geo_point). Here are a couple of resources to get you started:

https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html

I believe this would be the easiest way to update your data, and it would give you a better pattern to follow moving forward.

Regards,
Aaron

Alvaro_Jimenez_Carri · November 6, 2018, 3:19pm

Hi Aaron,

Thanks a lot by your answers, I have already all running.

Greetings.
Álvaro

system · December 4, 2018, 3:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.