GeoIP Mapping in ES

Elastic Stack Elasticsearch
1

Hello All,

I currently have a working ElasticStack 6.3.0. I'm trying to set the mapping for a new GeoIP field. By default when I use the 'geoip' logstash filter everything works fine. I get a field called geoip.location that is a geo_point type. The data I'm using has a destination and source IP. I'd like to map them both at the same time. This is what my logstash filter looks like:
if [src_ip] {
geoip {
source => "src_ip"
target => "src_geoip"
database => "/etc/logstash/GeoLite2-Xity.mmdb"
}
}
if [dst_ip] {
geoip {
source => "dst_ip"
target => "dst_geoip"
database => "/etc/logstash/GeoLite2-Xity.mmdb"
}
}
The filter works fine and creates all the appropriate fields. However, the elasticsearch mapping template isn't setup to make src_geoip and dst_geoip a geo_point type. I've noticed that in 6.3.0 the default mapping is being deprecated. I'd like to know how I should correctly update my mapping to get these geo_points.

This is my current mapping;
curl -XGET http://192.168.0.10:9200/_template/logstash?pretty
{
"logstash" : {
"order" : 0,
"version" : 60002,
"index_patterns" : [
"logstash-"
],
"settings" : {
"index" : {
"number_of_shards" : "2",
"refresh_interval" : "5s"
}
},
"mappings" : {
"default" : {
"dynamic_templates" : [
{
"message_field" : {
"path_match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false
}
}
},
{
"string_fields" : {
"match" : "",
"match_mapping_type" : "string",
"mapping" : {
"type" : "text",
"norms" : false,
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
],
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "keyword"
},
"geoip" : {
"dynamic" : true,
"properties" : {
"ip" : {
"type" : "ip"
},
"location" : {
"type" : "geo_point"
},
"latitude" : {
"type" : "half_float"
},
"longitude" : {
"type" : "half_float"
}
}
},
"src_geoip" : {
"dynamic" : true,
"properties" : {
"ip" : {
"type" : "ip"
},
"location" : {
"type" : "geo_point"
},
"latitude" : {
"type" : "half_float"
},
"longitude" : {
"type" : "half_float"
}
}
},
"dst_geoip" : {
"dynamic" : true,
"properties" : {
"ip" : {
"type" : "ip"
},
"location" : {
"type" : "geo_point"
},
"latitude" : {
"type" : "half_float"
},
"longitude" : {
"type" : "half_float"
}
}
}
}
}
},
"aliases" : { }
}
}

I'm not that great with interpreting the elastic docs on json calls with curl. A clear and concise answer would be very much appreciated. If you need additional information please let me know.

Thank you!

2

That looks ok from what I can tell. Your various location fields are mapped as geopoints for eg. Is something not working as you expect?

(Hint, in future please use the </> (code) button to format json like the pasted mappings, it makes it much easier to read :slight_smile: )

3

Thank you for your quick response. (I'll use the formatting button next time)

I just realized that I needed to refresh the field list on the index pattern. After doing this the fields showed up correctly as geo_points. haha I spent too much time on that haha.

Thank you again!

Cheers!

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.