Kibana geoip mapping wrong | unable to change index

bobwilly · October 13, 2017, 10:53am

I got kibana to index my geoip data. The problem is my data is indexed in kibana as:

    `Preformatted text`geoip.city_name
    geoip.continent_code
    geoip.country_code2
    geoip.country_code3
    geoip.country_name
    geoip.dma_code
    geoip.ip
    geoip.latitude
    geoip.location.lat
    geoip.location.lon
    geoip.longitude
    geoip.postal_code
    geoip.region_code
    geoip.region_name
    geoip.timezone`

To make a map with my data I need the fields to be geo_point. The error I see while trying to build the map is:

`No Compatible Fields: The "csv" index pattern does not contain any of the following field types: geo_point`

I found some solutions where I have to change my index from "csv" to something with logstash-*. When I change my index I get the
following error:

Preformatted text [2017-10-13T11:01:03,653][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash-csv", :_type=>"csv", :_routing=>nil}, 2017-10-13T09:01:03.039Z DESKTOP-hh 00.00.00.00,S], :response=>{"index"=>{"_index"=>"logstash-csv", "_type"=>"csv", "_id"=>"AV8UjolNaCIdC3w", "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"[geoip.location] is defined as an object in mapping [csv] but this name is already used for a field in other types"}}}}`

I can`t fix the above error (if this is even the end solution)

Versions:

Elec: 5.6.2
Logstash: 5.6.2

conf file:

`input {
    file {
        path => "C:\Users\JOEY2\Desktop\Deelproblemen\Applicatie\Output\OutputIPInfo.csv"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
}

filter {
    csv {
        separator => ","
        columns => [IP, city, country, region, org, Latitude, Longitude, SpamList, Headers]
    }
	mutate {
		convert =>{
            "Latitude" => "float"
            "Longitude" => "float"
			}
		rename => [ "Latitude", "[location][lat]", "Longitude", "[location][lon]" ]
   }
   	geoip { source => "IP" }
}

output {
    elasticsearch {
		action => "index"
        hosts => "http://localhost:9200"
        index => "csv"
        document_type => "csv"
    }
}

mapping:

C:\Users\JOEY2\Downloads\curl-7.56.0-win64-ming\curl-7.56.0-win64-mingw\bin>curl -s localhost:9200/logstash-*/_mapping/?pretty
{
  "logstash-csv" : {
    "mappings" : {
      "my_type" : {
        "dynamic" : "true",
        "properties" : {
          "geoip" : {
            "dynamic" : "true",
            "properties" : {
              "location" : {
                "type" : "geo_point"
              }
            }
          }
        }
      }
    }
  }
}`

I did make a template witch I saw in a other solution:

PUT _template/logstash { "template": "logstash-*", "settings": { "number_of_replicas": 1, "number_of_shards": 2 }, "mappings": { "my_type": { "dynamic": "true", "properties": { "geoip": { "dynamic": true, "properties": { "location": { "type": "geo_point" }} } } } }}

It feels like im missing something easy but cant figure out what it is.
Thanks!

Bargs · October 13, 2017, 4:37pm

In your mappings you're using the type my_type but in your logstash config you're using the type csv. Try deleting all of your old indices and update your logstash config so the index name and type match the mappings in your template. Elasticsearch is complaining right now because two types in the same index cannot have a field with the same name mapped as two different field types.

system · November 10, 2017, 4:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.