Geoip field scope seperator is "." and not supported as mapping name

pelesmk · January 2, 2018, 5:30am

I'm using the geoip mapping and everything seems fine, except the geoip ends up using a . as the seperator, example geoip.location, geoip.city_name, geoip.country_name. The period is not supported and the error message is
"reason"=>"Field name [remote_location.city] cannot contain '.'"}}}}

This makes sense and all of my other mappings don't contain periods. I think i read the period isnt supported in ES 2.x, so my question is, how do I rename the geoip seperator? My mappings are correct as shown below, but I don't know how to tell logstash not to use the "." as the field name, but to use something like an _ underscore. I've tried the mutate and gsub, but don't really know how to use them in this context or if this is the correct context to use mutate gsub.

      "geoip" : {
        "properties" : {
          "city_name" : {
            "type" : "string"
          },
          "continent_code" : {
            "type" : "string"
          },
          "country_code2" : {
            "type" : "string"
          },
          "country_code3" : {
            "type" : "string"
          },

dadoonet · January 2, 2018, 6:42am

Apparently you renamed the target field to be "remote_location", no?

If so you need to define it in your mapping accordingly.

pelesmk · January 2, 2018, 7:10pm

thanks for your reply David. I didn't rename remote_location from "remote.location", but even if i did the problem would be even greater as the "." in "remote.location" wouldn't be supported by ES 2.x
https://www.elastic.co/guide/en/elasticsearch/reference/2.4/dots-in-names.html

Actually, I just read more carefully and it looks like in 2.4.x there's a system property to enable support called mapper.allow_dots_in_name

I'm running 2.4.6, I'm gonna give that property setting a test.

dadoonet · January 2, 2018, 7:53pm

It is supported if you define the correct mapping.

Where basically remote is an object and location is a field.

pelesmk · January 3, 2018, 12:40am

no luck, maybe it's only a 2.4.0 field? 2.4.6 says the property doesn't exist for mapper.allow_dots_in_name. I'm going to investigate my other logstash installs to see if remote_location has a different name there. The thing is, I only used remote_location as an example here, but all of the geoip fields use a "." period separator, so it's not something I renamed. I did rename other fields/mappings to work around the period and those work correctly, just the geoip, which isn't something controlled by me as it's a properties thing *I think

dadoonet · January 3, 2018, 6:33am

Can you reproduce this with a simple elasticsearch pure script (without logstash)?

Like:

delete index
create index with mapping
index a doc

system · January 31, 2018, 6:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.