How to change two fields in an index to a geo point?

witcher · October 14, 2020, 11:33am

PUT _ingest/pipeline/geoip    
{
"description" : "Add geoip info",
"processors" : [
 {
  "geoip" : {
    "field" : "source_ip",
    "database_file": "GeoLite2-City.mmdb",
    "target_field": "sourceip_geo"
  }
}
]
}

then I run this and refresh the index

POST ips/_update_by_query?pipeline=geoip

my log in the discovery tab looks like this

what i want to do is convert the latitude and longitude in a geo point format so I can plot.

ylasri · October 14, 2020, 1:25pm

You have to update first your ips index mapping and map field sourceip_geo.location into a geo_point type

witcher · October 14, 2020, 2:48pm

@ylasri i guess I am not following you

ylasri · October 14, 2020, 2:49pm

Share your index mapping, use this from dev Console

GET ips/_mapping

ylasri · October 14, 2020, 3:10pm

I suppose that you have imported data using ML importer, you source file contain only 2 fields :

source_ip
dest_ip

The initial mapping will be

PUT ips
{
  "settings": {
    "number_of_shards": 1,
    "number_of_replicas": 0
  },
  "mappings": {
    "_meta": {
      "created_by": "ml-file-data-visualizer"
    },
    "properties": {
      "dest_ip": {
        "type": "ip"
      },
      "source_ip": {
        "type": "ip"
      }
    }
  }
}

Now before you update your index with the ingest pipeline, you should first update the index mapping as follow

PUT ips/_mapping
{
  "properties": {
    "sourceip_geo": {
      "properties": {
        "city_name": {
          "type": "keyword"
        },
        "continent_name": {
          "type": "keyword"
        },
        "country_iso_code": {
          "type": "keyword"
        },
        "location": {
          "type": "geo_point"
        },
        "region_iso_code": {
          "type": "keyword"
        },
        "region_name": {
          "type": "keyword"
        }
      }
    }
  }
}

This is beacause you ingest pipeline is adding an object sourceip_geo

PUT _ingest/pipeline/geoip
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "source_ip",
        "database_file": "GeoLite2-City.mmdb",
        "target_field": "sourceip_geo"
      }
    }
  ]
}

witcher · October 14, 2020, 3:19pm

@ylasri you are absolutely correct about the two fields and importer part
okay I did as you said now the mapping is like this

{
"ips" : {
"mappings" : {
  "_meta" : {
    "created_by" : "ml-file-data-visualizer"
  },
  "properties" : {
    "dest_ip" : {
      "type" : "ip"
    },
    "source_ip" : {
      "type" : "ip"
    },
    "sourceip_geo" : {
      "properties" : {
        "city_name" : {
          "type" : "keyword"
        },
        "continent_name" : {
          "type" : "keyword"
        },
        "country_iso_code" : {
          "type" : "keyword"
        },
        "location" : {
          "type" : "geo_point"
        },
        "region_iso_code" : {
          "type" : "keyword"
        },
        "region_name" : {
          "type" : "keyword"
        }
      }
    }
  }
}
}
}

system · November 11, 2020, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Convert two field string into a single field geo_point Elasticsearch	32	8404	April 29, 2019
Geoip to geopoint Elastic Stack	3	876	November 4, 2022
Convert lat, , long coming as two attributes to geo point Elasticsearch	13	3008	August 8, 2020
Mapping field as geo_point Logstash	3	1539	December 29, 2020
Geo_point for conection map Logstash	3	321	February 24, 2020

How to change two fields in an index to a geo point?

Related topics