Index template not being applied

Elastic Stack Elasticsearch
1

To achieve my goal - map geo location data from nginx logs to a map - I added a index template to ES with command like this:

PUT _template/nginx-default
{
"template": "nginx-*",
"order": 0,
"index_patterns" : [
  "nginx*"
],
"settings": {
"index.mapping.ignore_malformed": true
},
  "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },

...
"geoip" : {
"location" : {
"type": "geo_point"
},
},

...
}
}

After creating this template, I issued a complete reload of all data (removed indices from ES and deleted registry file in filebeat - I dont have that much data).

The location field contains two properties, lat and lon, submitted as numbers:

geoip.location.lat: number
geoip.location.lon: number

Example:

|#geoip.location.lat|37.751|
|---|---|
|#geoip.location.lon|-97.822|

But when I try to create a map, I still get the feedback, that there is no geo_ip field:

The index pattern nginx* does not contain any of the following compatible field types: geo_point

What am I missing here?

Thanks!

2

Can you show the name and full mapping of one of the indices? Can you show a sample indexed document?

3

Sure.. the name of one index is "nginx-2019-04".

find the data here:

https://pastebin.com/fmVb4f59

4

When you look at an indexed document is the location geo_point field filled in

How are you ingesting the data?

5

Hey

yes, it is (you can see it on pastebin,let me post relevant part here again:

"geoip": {

          "ip": "123.456.789.0",

          "country_code2": "DE",

          "location": {

            "lon": 13.123,

            "lat": 52.123

          },

          "region_code": "BE",

          "continent_code": "EU",

          "timezone": "Europe/Berlin",

          "city_name": "Berlin",

          "country_code3": "DE",

          "latitude": 52.123,

          "postal_code": "12345",

          "country_name": "Germany",

          "region_name": "Land Berlin",

          "longitude": 13.456

        },

The index on Kibana, though, does not show the location-field itself, but it's properties (lon / lat):

grafik

Data comes from Filebeat, via Logstash, where I configured filering. This is the GeoIp-Part:

  geoip {
    source => "[nginx][access][client]"
  }
6

Was the index created after you added the index template? The template only applies when the index is first created as you can not change mappings in existing indices.

3 Likes
7

That's what I was missing. I only deleted the Index in Elasticsearch. So, this template applies to the data when creating the Kibana Index, not the Elastic Search Index.

Thanks a lot!

1 Like
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.