Geoip filter fails with illegal_state_exception message on "type" field

Elastic Stack Logstash
1

Hi all,

Just wondering if someone can help with this unusual problem. I'm parsing IIS logs and doing a geoip lookup on the clientIP field and I get the error message below. I have used this on my Apache logs and it works fine. Any tips or ideas on how to fix this?

Error Message:

:response=>{"create"=>{"_index"=>"iis-prod-bwl-2017.01.17", "_type"=>"iis-prod-bwl", "_id"=>"AVmp-MnJtV1rYaGi4Hi0", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Mixing up field types: class org.elasticsearch.index.mapper.core.DoubleFieldMapper$DoubleFieldType != class org.elasticsearch.index.mapper.geo.BaseGeoPointFieldMapper$GeoPointFieldType on field geoip.location"}}}}}

Sample Log:

2017-01-17 00:00:00 W3SVC1 WIN-5SVHN7G2T4J 172.18.105.236 GET / - 80 - 172.18.120.214 HTTP/1.1 Mozilla/5.0+(iPhone;+CPU+iPhone+OS+10_2+like+Mac+OS+X)+AppleWebKit/602.3.12+(KHTML,+like+Gecko)+Version/10.0+Mobile/14C92+Safari/602.1 _pk_id.8387.af08=a48daba73567c2e4.1484301212.1.1484301212.1484301212.;+SC_ANALYTICS_GLOBAL_COOKIE=4b570714567746a9a85bf539a395ff3c;+com.silverpop.iMAWebCookie=ae21d942-c77b-cbab-67e1-9618ec89ddd7;+_ga=GA1.3.2024580622.1483074503;+__lc.visitor_id.6145481=S1483074504.582ff2c04d;+__cfduid=d41b5dfb231fe480d6d3efff4345a6f8e1483074501 - www.mydomain.com.au 200 0 0 18537 915 31 1.126.48.240,+172.68.2.101

Here's my filter:

filter {
  if [message] =~ "^#" or [message] =~ "\b\w*ELB-HealthChecker\w*\b" {
     drop {}
  }

  if [type] == "iis-prod-bwl" {
    grok {
      match => [ "message", "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:serviceName} %{NOTSPACE:serverName} %{IPORHOST:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:elbIP} %{NOTSPACE:protocolVersion} %{NOTSPACE:userAgent} %{NOTSPACE:cookie} %{NOTSPACE:referer} %{NOTSPACE:requestHost} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:bytesSent} %{NUMBER:bytesReceived} %{NUMBER:timetaken} %{IPORHOST:clientIP},\+%{IPORHOST:cloudflareIP}" ]
     }

     date {
        match => [ "log_timestamp", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Etc/UTC"
     }

     geoip {
       source => "clientIP"
     }
  }
}

Thanks!

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.