Geoip location not working - missing nginx.access.geoip.location

Hi. ELK stack version 6.5.4. I deployed a new server with nginx and I use Filebeat to send nginx logs the the elasticsearch cluster. I added the pluggin nginx and imported the dashboard (filebeat setup -e). The problem I have is that there is no nginx.access.geoip.location fields.

I have nginx.access.geoip.location.lat and nginx.access.geoip.location.lon.

Have I missed something ?

I received logstash nginx config from here: https://www.elastic.co/guide/en/logstash/current/logstash-config-for-filebeat-modules.html#parsing-nginx

If open visualise tab - receive the error:

Saved object is missing
Could not locate that index-pattern-field (id: geoip.location)

Hi @c257dd0a514ccc788ecc,

Yes, it is expected that nginx.access.geoip.location.lat and nginx.access.geoip.location.lon fields exist, but not nginx.access.geoip.location or geoip.location.

Instead of using logstash to enrich the events you can setup the ingest pipelines included in the filebeat modules, for that, run filebeat setup from a node with direct access to elasticsearch and the nginx module enabled.

Btw, do you need to use logstash? If you are using it for parsing the logs you can also do it just with elasticsearch and filebeat modules.

Regarding this error Could not locate that index-pattern-field (id: geoip.location), when do you see it? In the provided dashboard the geoip.location field is not being used.

Thanks. I remove in filebeat.yml output to logstash and enable output to elasticsearch. All nginx dashboards - is worked.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.