Hi. ELK stack version 6.5.4. I deployed a new server with nginx and I use Filebeat to send nginx logs the the elasticsearch cluster. I added the pluggin nginx and imported the dashboard (filebeat setup -e). The problem I have is that there is no nginx.access.geoip.location fields.
I have nginx.access.geoip.location.lat and nginx.access.geoip.location.lon.
Yes, it is expected that nginx.access.geoip.location.lat and nginx.access.geoip.location.lon fields exist, but not nginx.access.geoip.location or geoip.location.
Instead of using logstash to enrich the events you can setup the ingest pipelines included in the filebeat modules, for that, run filebeat setup from a node with direct access to elasticsearch and the nginx module enabled.
Btw, do you need to use logstash? If you are using it for parsing the logs you can also do it just with elasticsearch and filebeat modules.
Regarding this error Could not locate that index-pattern-field (id: geoip.location), when do you see it? In the provided dashboard the geoip.location field is not being used.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.