Geoip.location

elaair · August 3, 2017, 3:11am

If geoip.location appears in the index as a geo_point, why am I unable to use it in a heat map? Also, why do geoip.longitude and geoip.latitude appear as numbers? Shouldn't they by default be float?

I have a mapping like this:
PUT _template/syslog
{
"template": "syslog*",
"mappings": {
"eventGeoLocations": {
"properties": {
"src_geo_location": { "type": "geo_point" },
"geoip.latitude": { "type": "float" },
"geoip.longitude": { "type": "float" }
}
}
}
}

I also have a very basic geoip config section.
#GeoIP
if [IN] == "eno1" {
geoip {
source => "src_IP"
}
mutate { convert => {"geoip.latitude" => "float"} }
mutate { convert => {"geoip.longitude" => "float"} }
#mutate { add_field => { "src_geo_location" => "geoip.latitude,geoip.longtude" } } #not working
} # close if

warkolm · August 3, 2017, 3:24am

Did you change the document_type to match this?

elaair · August 3, 2017, 3:28am

Not sure what you so mean that likely means no..

elaair · August 3, 2017, 3:29am

I think I am failing to grasp the mappings template file. I will re read.

warkolm · August 3, 2017, 3:31am

It's not immediately clear, but the eventGeoLocations you have there is the _type of the document, so it needs to match.

Logstash uses logs as the default, so unless you are setting that it's probably the cause.

elaair · August 3, 2017, 3:34am

I was under the impression that was more or less a tag. I did get this to work while on another little project where I converted the two number fields to float, created a geo_point field, and stuck the two converted fields together. I was trying to replicate that here.
I am really new at this. thx for the help

elaair · August 3, 2017, 3:37am

I do that is _type in the docs. https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

Where are the _type listed out so I can pick the correct one? I think I got luck with the other thing..

warkolm · August 3, 2017, 3:48am

Change;

to;

The difference is the use of _default_, which will apply this to any type by default.

elaair · August 3, 2017, 9:37pm

No use- I am still confused why the default geoip fields have the wrong data types to either use directly in a coordinate map or allow conversion to a geo_point.

elaair · August 3, 2017, 9:41pm

geoip.location geo_point Is the correct data type for the coordinate map!! Why is it missing from the dropdown in Kibana?

elaair · August 4, 2017, 12:06am

geoip.location shows up as an option when I use the logstash-index. What am I missing?

magnusbaeck · August 4, 2017, 8:34am

geoip.location geo_point Is the correct data type for the coordinate map!!

Is it? What do the actual mappings of the index look like? Use the get mapping API.

elaair · August 5, 2017, 3:59am

I destroyed the other index when this worked with the logstash index. I was relying on what Kibana was showing in the index vie, and I pasted from the view into this discussion. I should have been more clear where I was seeing the geoip.location referenced as a geo_point.
I will use the mapping api from now on when I have issue with mappings.

system · September 2, 2017, 3:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to convert to geopoint Logstash	4	2255	July 18, 2017
Geo_point and the logstash-* index Logstash	2	546	April 21, 2017
Default parsing of the geoip field: location? Logstash	9	761	March 6, 2017
GeoIP Fields != desired geo_point type Logstash	4	952	March 21, 2017
Can Anyone tell each and every step of how to use geoIP with logstash and kibana? Logstash	12	1920	October 24, 2017

Geoip.location

Related topics