Index template not being applied

John_Doe3 · October 18, 2019, 8:34pm

To achieve my goal - map geo location data from nginx logs to a map - I added a index template to ES with command like this:

PUT _template/nginx-default
{
"template": "nginx-*",
"order": 0,
"index_patterns" : [
  "nginx*"
],
"settings": {
"index.mapping.ignore_malformed": true
},
  "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },

...
"geoip" : {
"location" : {
"type": "geo_point"
},
},

...
}
}

After creating this template, I issued a complete reload of all data (removed indices from ES and deleted registry file in filebeat - I dont have that much data).

The location field contains two properties, lat and lon, submitted as numbers:

geoip.location.lat: number
geoip.location.lon: number

Example:

|#geoip.location.lat|37.751|
|---|---|
|#geoip.location.lon|-97.822|

But when I try to create a map, I still get the feedback, that there is no geo_ip field:

The index pattern nginx* does not contain any of the following compatible field types: geo_point

What am I missing here?

Thanks!

Christian_Dahlqvist · October 18, 2019, 8:43pm

Can you show the name and full mapping of one of the indices? Can you show a sample indexed document?

John_Doe3 · October 19, 2019, 2:42pm

Sure.. the name of one index is "nginx-2019-04".

find the data here:

https://pastebin.com/fmVb4f59

stephenb · October 19, 2019, 5:38pm

When you look at an indexed document is the location geo_point field filled in

How are you ingesting the data?

John_Doe3 · October 20, 2019, 8:54am

Hey

yes, it is (you can see it on pastebin,let me post relevant part here again:

"geoip": {

          "ip": "123.456.789.0",

          "country_code2": "DE",

          "location": {

            "lon": 13.123,

            "lat": 52.123

          },

          "region_code": "BE",

          "continent_code": "EU",

          "timezone": "Europe/Berlin",

          "city_name": "Berlin",

          "country_code3": "DE",

          "latitude": 52.123,

          "postal_code": "12345",

          "country_name": "Germany",

          "region_name": "Land Berlin",

          "longitude": 13.456

        },

The index on Kibana, though, does not show the location-field itself, but it's properties (lon / lat):

grafik

Data comes from Filebeat, via Logstash, where I configured filering. This is the GeoIp-Part:

  geoip {
    source => "[nginx][access][client]"
  }

Christian_Dahlqvist · October 20, 2019, 9:20am

Was the index created after you added the index template? The template only applies when the index is first created as you can not change mappings in existing indices.

John_Doe3 · October 20, 2019, 12:13pm

That's what I was missing. I only deleted the Index in Elasticsearch. So, this template applies to the data when creating the Kibana Index, not the Elastic Search Index.

Thanks a lot!

system · November 17, 2019, 12:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.