Kibana how to get geo_point working?

Tommo · July 2, 2016, 12:48pm

For the life of me I can't get geo-ip working any help would be greatly accepted.
Here is the error in Kibana:
"No Compatible Fields: The "syslog-*" index pattern does not contain any of the following field types: geo_point"

Question is how do I fix it?

in my filter I have the following:
geoip {
database => "/etc/logstash/GeoLiteCity.dat"
source => "src_IP"
target => "geoip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}

I get the following out put:

"geoip": {
  "ip": "85.25.235.85",
  "country_code2": "DE",
  "country_code3": "DEU",
  "country_name": "Germany",
  "continent_code": "EU",
  "latitude": 51,
  "longitude": 9,
  "timezone": "Europe/Berlin",
  "location": [
    9,
    51
  ],
  "coordinates": [
    9,
    51
  ]
}

warkolm · July 3, 2016, 10:51pm

What are those fields mapped as in ES?
Check with the _mapping endpoint?

Tommo · July 4, 2016, 12:14am

Thanks Mark,
I don't see any types that = "geo_point" so I assume I must set this but from that I assume I must also change the template so that it is set on a permanent basis?

Is there a curl "put" to modify the existing indices and where would I then change template?

Here is the output from the _mapping:

{"syslog-2016.07.04":{"mappings":{"syslog":{"properties":{"@timestamp":{"type":"date","format":"strict_date_optional_time||epoch_millis"},"@version":{"type":"string"},"dest_IP":{"type":"string"},"dst_addr":{"type":"string"},"dst_port":{"type":"string"},"from_zone":{"type":"string"},"geoip":{"properties":{"area_code":{"type":"long"},"city_name":{"type":"string"},"continent_code":{"type":"string"},"coordinates":{"type":"double"},"country_code2":{"type":"string"},"country_code3":{"type":"string"},"country_name":{"type":"string"},"dma_code":{"type":"long"},"ip":{"type":"string"},"latitude":{"type":"double"},"location":{"type":"double"},"longitude":{"type":"double"},"postal_code":{"type":"string"},"real_region_name":{"type":"string"},"region_name":{"type":"string"},"timezone":{"type":"string"}}},"host":{"type":"string"},"message":{"type":"string"},"policy_name":{"type":"string"},"protocol_id":{"type":"string"},"received_at":{"type":"date","format":"strict_date_optional_time||epoch_millis"},"received_from":{"type":"string"},"service":{"type":"string"},"src_IP":{"type":"string"},"src_addr":{"type":"string"},"src_port":{"type":"string"},"syslog_hostname":{"type":"string"},"syslog_message":{"type":"string"},"syslog_pid":{"type":"string"},"syslog_pri":{"type":"string"},"syslog_program":{"type":"string"},"syslog_timestamp":{"type":"string"},"to_zone":{"type":"string"},"type":{"type":"string"}}}}}}

warkolm · July 4, 2016, 2:57am

Ok, so you need to add that to the template/mapping for the field. You don't need the location and coordinates fields though, just pick one.