I am using the latest 7.7.1 version of elk stack and my logstash geoip snippet looks as below:
if [log_type] == "querylog" {
grok{
match => {"message" => "%{TIMESTAMP_ISO8601:Activity-Time}%{SPACE}USERID=%{QUOTEDSTRING:USERID}%{SPACE}IP="%{IP:IP}"%{SPACE}ACTION=%{QS:ACTION}%{SPACE}URL=%{QS:URL}%{SPACE}DEVICETYPE=%{QS:DEVICETYPE}%{SPACE}KEYS=%{QS:KEYS}"}
}
geoip{
source => "IP"
}
}
I get details in kibana discover tab but i cannot visualize it in Maps, somehow Maps in Visualiztion is different then 5.6.16 version where i didnt had to do much straightaway i was getting the visualization as soon as geoip data is discovered,
I do need guidance on what to change in logstash, as i tried targeting it to geo point field of ECS as well but still no visualization i can see even though i selected grid or docs in Maps, please help with the code or guidance
The default index template, which is applied to logstash-* (so not an index called logstash) configures [geoip][location] as a geo_point. Check the mapping of your index to see if it includes this.
Kindly help, still i dont see geo point in kibana and another thing is in Maps Visualization what should i select Grid, GeoJson etc. Some how Kibana 5.6.16 was working like a charm for maps, but 7.X has something more to be added
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.