Geoip not apeearing at indexes

paulo_bruck · October 24, 2018, 1:43pm

Hy all

I have read a lot of things about this subject, but none of them solve my problem.

Using kibana,elasticsearch and logstash v6.4.2-1

Iniciating logstash appears this:
[2018-10-24T10:00:15,816][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-10-24T10:00:16,343][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}

As I can see logstash has a dinamic template that is inserting geoip_point.

but its not apeears at indexes, and I have already drop all indexes and start a new one.
Indexes show me:
"geoip": {
"properties": {
"city_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"continent_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_code2": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_code3": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"dma_code": {
"type": "long"
},
"ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"latitude": {
"type": "float"
},
"location": {
** "properties": {**
** "lat": {**
** "type": "float"**
** },**
** "lon": {**
** "type": "float"**
** }**
** }**
** },**
"longitude": {
"type": "float"
},
"postal_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"region_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"region_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timezone": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},

But when I try to insert a map at kibana, it appears this message:

The "firewall-*" index pattern does not contain any of the following field types: geo_point

Problem as am I new at ELK I have been nort seen solutions for it..80)

Any help would be very appreciated 8)

Christian_Dahlqvist · October 24, 2018, 1:49pm

The standard index template Logstash comes with does map this correctly, but it does only apply to indices matching the pattern logstash-*. As you have created an index with a name not matching this, default mappings are applied which is why the lat and lon fields are identified as floats. If you copy the default Logstash template and change it to apply to a pattern that matches your indices and then import it into Elasticsearch, the problem should be solved for any new index that is created.

paulo_bruck · October 24, 2018, 2:14pm

Thanks for solution Christian

best regards

system · November 21, 2018, 2:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.