Geoip filter not creating type geo_point


#1

hello team elastic

i'm using the regular geoip filter in elasticsearch:

geoip{
  source => "clientip"
  target => "geoip"
}

but if you take a look at the geoip mapping in elasticsearch it seems as though [geoip][location] is a double, not a geo_point...

           "geoip": {
              "properties": {
                 "area_code": {
                    "type": "long"
                 },
                 "city_name": {
                    "type": "string"
                 },
                 "continent_code": {
                    "type": "string"
                 },
                 "country_code2": {
                    "type": "string"
                 },
                 "country_code3": {
                    "type": "string"
                 },
                 "country_name": {
                    "type": "string"
                 },
                 "dma_code": {
                    "type": "long"
                 },
                 "ip": {
                    "type": "string"
                 },
                 "latitude": {
                    "type": "double"
                 },
                 "location": {
                    "type": "double"
                 },
                 "longitude": {
                    "type": "double"
                 },
                 "postal_code": {
                    "type": "string"
                 },
                 "real_region_name": {
                    "type": "string"
                 },
                 "region_name": {
                    "type": "string"
                 },
                 "timezone": {
                    "type": "string"
                 }
              }
           }

so i can't graph it on a kibana tile map, because it doesn't have type geo_point. am I doing something wrong here ? could I just update the mapping manually? would be less ideal than a fix at the logstash level, here is an example value:

       "geoip": {
          "ip": "***.**.**.*",
          "country_code2": "XX",
          "country_code3": "XXX",
          "country_name": "Xxxxxxx",
          "continent_code": "EU",
          "latitude": 51,
          "longitude": 9,
          "timezone": "Europe/Berlin",
          "location": [
             9,
             51
          ]
       },

(Aaron Mildenstein) #2

Are you using the default index name of logstash-YYYY.MM.DD? If not, then the default template, which maps the geo_point for you, is not being used.

You could always borrow from this template to make yours map properly. Unfortunately, you'll have to re-index or wait until the next rollover to see the mapping change.


#3

awesome, thank you for you prompt reply. these logs weren't going into the default logstash-* indices, they are going into nginx-* indices, so indeed i've created a template which i reference in the elasticsearch output. I wasn't aware of the default template helping out behind the scenes for logstash-* indices. thanks!

so i am trying to reindex the glob of nginx-YYYY.MM.DD indices, Reindexing glob of indices


(system) #4