Geoip.location not getting mapped to a geo_point type

Elastic Stack Elasticsearch
1

OS: CentOS 7.2.1511 - 3.10.0-327.22.2.el7.x86_64
ES version: elasticsearch-5.1.1
Kibana version: kibana-5.1.1
Logstash version: logstash-5.1.1

I looked at my default template (es-server:9200/_template) and it shows geoip.location getting mapped to a geo_point type:
{
"logstash": {
"order": 0,
"version": 50001,
"template": "logstash-",
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"default": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": ""
}
}
],
"_all": {
"norms": false,
"enabled": true
},
"properties": {
"@timestamp": {
"include_in_all": false,
"type": "date"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"include_in_all": false,
"type": "keyword"
}
}
}
},
"aliases": {}
}
}

I have this in my logstash config to filter geolocation:
geoip {
source => "MyFieldWithAnIP"
}

So if I look in my ES index I can see its processing geo location on that field. For docs that logstash sends it I do see geoip data in them, here is an example of a geoip field from one of those documents:
"geoip": {
"city_name": "Ibarra",
"timezone": "America/Guayaquil",
"ip": "181.198.183.74",
"latitude": 0.35,
"country_code2": "EC",
"country_name": "Ecuador",
"continent_code": "SA",
"country_code3": "EC",
"region_name": "Provincia de Imbabura",
"location": [
-78.1167,
0.35
],

But if I go into kibana and try to create a map visualization from that index I get this:
"error: No Compatible Fields: The "my_index_pattern" index pattern does not contain any of the following field types: geo_point"

When I look at the index pattern I created in kibana the "type" of the geoip.location field is "number".

So I don't know where the break down is here. Is the default mapping not working? Did I misconfigure kibana?

2

The answer lies between "template": "logstash-*", as the pattern to match in the default template, and my_index_pattern in the error message. It would seem that you are creating indices that are not named logstash-something, which is required for the index template to be applied.

3 Likes
3

ahhh so obvious! Didn't understand enough about how mapping works, I thought this was like a default template applied to everything, I realize how little sense that makes now.

So I should be able to just do geoip { source => "MyFieldWithAnIP" } without any extra settings.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.