hello, I am on ELK 7.4.
When using geoip in a Logstash conf the geoip.location doesn't appear to be displayed in the index fields in Kibana.
Below is the Logstash conf - showing the fields filter input under the geoip filter. (if this is now included then the fields do not show and are unable to see displayed geo data in Kibana - but the geoip.location is not shown in the index mapping - so am creating the new coordinates field).
input {
file {
path=>"/route/to/file/*.csv"
start_position=>"beginning"
}
}
filter {
csv {
separator=>","
columns=>["Id","Date/Time","SenderIP","Workload"]
}
geoip {
source => ["SenderIP"]
target => "geoip"
fields => ["continent_code", "longitude", "city_name", "region_code", "country_name", "location", "ip", "latitude"]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "info_file"
manage_template =>false
}
}
When saying geoip.location, the data is then displayed in to two separate fields of geoip.location.lon and geoip.location.lat, instead of showing, for an example, as -
geoip.location {
lon: 0.0001
lat: 0.0001
}
I am able to add_field and mutate this into an new field, i.e. geoip.coordinates (as seen in the above conf). and that will be added to the index mapping.
Is there a way to format this into a index template so that it will be able to be formatted correctly for the following/ future creation of index's, being able to use geoip.location correctly?
Also, when creating a point/ visualization on the maps function in Kibana, the index in question is not displayed. Am I missing a trick here? or if this because of the above? with the non matching of geoip.location and therefore geo_point formation type?
Thank you!