Geoip.location not Auto Generated

Elastic Stack Kibana
1

hi,

I am shipping & Parsing access logs for Apache webserver using beats and logstash.

Added webUserID as source for GeoIP in logstash and refreshed index pattern.
But geoip.location with geoPoint datatype is not showing up in the index fields(all other geoip fields are).

Not using any index templates. And Logstash creates Index everyday based on date regex.

Can anyone help figure out why geoip.location with geoPoint datatype is not auto-generated?

Should i add a custom field in geoIP via logstash combining geopi.lat +geoip.lon and create index template mapping custom field as geo_point type?

#################
Logstash GeoIP Config
#################
'geoip{

  • source => "webUserID"*
    }'

###############
Index Mapping
###############
'"geoip": {

  •      "properties": {            *

  •        "latitude": {*

  •          "type": "float"*

  •        },*

  •        "location": {*

  •          "properties": {*

  •            "lat": {*

  •              "type": "float"*

  •            },*

  •            "lon": {*

  •              "type": "float"*

  •            }*

  •          }*

  •        },*

  •        "longitude": {*

  •          "type": "float"*

  •        }            *

  •      }*

  •    }*'

###############
Kibana Discover
###############

GeoKibana
GeoKibana828×427 7.97 KB

2

That is likely why, you need to set it as a a geopoint in a template.

1 Like
3

Ok. Will try with template and check results.

Just frustrated that ES can't identify/construct geoip.location with geopoint data type., when geoip.location.lat and geoip.location.lon is already present.

Extra step to define/modify geoip fields, just breaks the illusion of single config model for geoip.

4

defined index template as follows and got below error.
Any clue?

template_mapping_error
template_mapping_error582×624 11.5 KB

5

Kibana doesn't like to mix mapping types. If you want it fixed you will want to reindex the old data, or just delete it if it's not important.

6

Added a custom field in geoip combining latitude and longitude in logsatsh.

Defined index template with custom field defined as geopoint.

And deleted old indexes and refreshed index pattern.
Worked.

Though I still think that when adding geoip to logstash first time, and refreshing existing index pattern, should auto identify geoip.location as geopoint type; since field would be generated for the first time; even though indices may already exist.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.