I have two columns in my data I am loading data directly using bulk API(without logstash) I want to plot the map how can I plot it or else what is format of GEOIP which kibana accepts by default how to convert lat long into geoip.
Hi Akshay,
Could you please share a snippet of what your data looks like? It should look something like this:
{
"lat": 44.529845,
"lon": -122.9295336
}
Assuming that the name of the field is "geo.coordinates", here is how you can configure a Coordinate Map visualization to aggregate this data:
Does this help?
Thanks,
CJ
I have Lat long in two different columns. What should be the value of geo.coordinates column?
You'll need to create a single column that contains an object with "lat" and "lon" properties, like in the example I posted above:
{
"lat": 44.529845,
"lon": -122.9295336
}
Can you share an example of your data?
Thanks,
CJ
Data
Kibana
Hi Akshay, the "geoip.location" field is just an example. The data set I'm using has that field, but it doesn't look like your data set does. You'll have to create a field that consists of an object with the "latitude" and "longitude" fields from your data set. Does this make sense?
CJ
How to create that field which contains object of lat an long?
Can you try using Logstash to transform your data? Take a look at the mutate plugin filter, specifically configured with add_field: https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-add_field.
You'll want to end up with something like this:
filter {
mutate {
rename => {
'latitude' => '[geo][lat]'
'longitude' => '[geo][lon]'
}
}
}
or:
filter {
mutate {
rename => {
'latitude' => '[geo][0]'
'longitude' => '[geo][1]'
}
}
}
For some more context, what we're trying to do is wrangle some of your data to create a new field which conforms to the geo_point datatype (https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html).
CJ
Sorry Akshay, I just found out that it will actually be a two-step process in Logstash. This is because our field references always convert the values to strings. So the configuration will look like this:
mutate { add_field => { 'geo' => [ '%{[latitude]}', '%{[longitude}' ] } }
mutate { convert => {
'[geo][0]' => 'float'
'[geo][1]' => 'float'
}
}
This first creates the geo field with the values from your latitude and longitude fields, and then converts them from strings to floats.
Does this help?
CJ
Hi CJ
Actually, I am inserting data through bulk API using curl commands is there any way I can add this geo field through curl command?
No, you need something to "join" the lat and lon fields.
suppose if I create on field called geoip.location which has value "lat,long"
or
Kibana by default takes to field geoip.lonitude and geoip.latitude should I rename my column name from latitude to geoip.latitude and longitude to geoip.lonitude
You need to do the first one.
why not second? what should be the datatype of geoip.location string? or something else?
Because they are still individual fields, it needs to be in this format - https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html
String is fine right according to your link?
Yes;
Geo-point expressed as a string with the format: "lat,lon".
field name must be geoip.location right ?
You can name it whatever you want. Logstash just uses geoip.location because it has a template it uses that defines that field as a geopoint. If you rename it you need a similar template or mapping.
https://www.elastic.co/blog/geoip-in-the-elastic-stack may be worth reading.
I am loading json data through curl command using bulk API then geoip.location should work right?