I am shipping & Parsing access logs for Apache webserver using beats and logstash.
Added webUserID as source for GeoIP in logstash and refreshed index pattern.
But geoip.location with geoPoint datatype is not showing up in the index fields(all other geoip fields are).
Not using any index templates. And Logstash creates Index everyday based on date regex.
Can anyone help figure out why geoip.location with geoPoint datatype is not auto-generated?
Should i add a custom field in geoIP via logstash combining geopi.lat +geoip.lon and create index template mapping custom field as geo_point type?
Just frustrated that ES can't identify/construct geoip.location with geopoint data type., when geoip.location.lat and geoip.location.lon is already present.
Extra step to define/modify geoip fields, just breaks the illusion of single config model for geoip.
Added a custom field in geoip combining latitude and longitude in logsatsh.
Defined index template with custom field defined as geopoint.
And deleted old indexes and refreshed index pattern.
Worked.
Though I still think that when adding geoip to logstash first time, and refreshing existing index pattern, should auto identify geoip.location as geopoint type; since field would be generated for the first time; even though indices may already exist.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
