Kibana showing geo-ip location as number not as geopoint

Elastic Stack Kibana
1

image.png1366×768 92.8 KB

my template is as below

{
"template" : "iisnew",
"settings": { "index.refresh_interval": "5s" },
"mappings" : {
"iisnew" : {
"properties": {
"@timestamp":{"type":"date","format":"dateOptionalTime"},
"@version":{"type":"string", "index" : "not_analyzed"},
"tags":{"type":"string"},
"type":{"type":"string"},
"geoip":{
"properties":{
"city_name":{"type":"string", "index":"not_analyzed"},
"continent_code":{"type":"string"},
"country_code2":{"type":"string"},
"country_code3":{"type":"string"},
"country_name":{"type":"string", "index":"not_analyzed"},
"ip":{"type":"ip"},
"latitude":{"type":"double"},
"location":{"type":"geo_point"},
"longitude":{"type":"double"},
"postal_code":{"type":"string"},
"region_code":{"type":"string", "index":"not_analyzed"},
"region_name":{"type":"string", "index":"not_analyzed"},
"timezone":{"type":"string"}
} },
"response":{"type":"long"},
"sc-status":{"type":"long"},
"sc-substatus":{"type":"long"},
"time-taken":{"type":"long"},
"c-ip":{"type":"ip"},
"cs":{"type":"string"},
"cs-method":{"type":"string"},
"cs-uri-query":{"type":"string"},
"cs-uri-stem":{"type":"string"},
"cs-username":{"type":"string"},
"host":{"type":"string"},
"message":{"type":"string"},
"path":{"type":"string"},
"s-port":{"type":"long"},
"s-sitename":{"type":"ip"},
}
}
}
}

my config file as below

input {
file {
type => "iis-w3c"
path => "C:/ElasticProducts/iis.log"
start_position => "beginning"
sincedb_path => "/dev/null"
}

}

filter {

if [message] =~ "^#" {
drop {}
}

grok {
match => [
"message", "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:s-sitename} %{WORD:cs-method} %{URIPATH:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Referer)} %{NUMBER:response:int} %{NUMBER:sc-status:int} %{NUMBER:sc-substatus:int} %{NUMBER:time-taken:int}"
]
}

date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UTC"
}

if [sc-bytes] {
ruby {
code => "event['kilobytesSent'] = event['sc-bytes'].to_i / 1024.0"
}
}

if [cs-bytes] {
ruby {
code => "event['kilobytesReceived'] = event['cs-bytes'].to_i / 1024.0"
}
}

mutate {

convert => ["sc-bytes", "integer"]
convert => ["cs-bytes", "integer"]
convert => ["time-taken", "integer"]

remove_field => [ "timestamp"]

}

geoip {
source => "c-ip"
target => "geoip"
add_tag => [ "iis-geoip" ]

database => "C:/ElasticProducts/geoip/GeoLite2-City.mmdb"
  add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
  add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
}

mutate {
convert => [ "[geoip][coordinates]", "float"]
}

useragent {
source => "cs(User-Agent)"
prefix=> "browser"
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"

index => "iisnew"
template => "C:\ElasticProducts\iisnew.json"

document_type => "iis-log"

}

stdout {
codec => rubydebug
}
}

2

Your template name does not match your index name. See https://www.elastic.co/guide/en/elasticsearch/reference/5.2/indices-templates.html#indices-templates

3

OK thanks for the help. Now i got some parse error in elastic search. command window. i checked grok with grok debugger. it didn't give any error.

My editted config file and template as above. i changed iis to iisnew

elastic search 5.2.0, logstash 5.2.0

[2017-02-19T02:30:14,239][DEBUG][o.e.a.b.TransportShardBulkAction] [LF_KWPf] [iisnew][1] failed to execute bulk item (index) index {[iisnew][iis-log][AVpVfhZw__C-MsaeEM-1], source[{"cs-method":"GET","s-sitename":"11.0.0.6","geoip":{"timezone":"Asia/Kolkata","ip":"103.15.254.29","latitude":10.5167,"coordinates":[76.2167,10.5167],"continent_code":"AS","city_name":"Thrissur","country_code2":"IN","country_name":"India","country_code3":"IN","region_name":"Kerala","location":[76.2167,10.5167],"postal_code":"682301","longitude":76.2167,"region_code":"KL"},"cs-uri-stem":"/portal/js/vendor/jquery.cookie.min.js","cs-uri-query":"-","sc-substatus":0,"message":"2017-02-16 14:56:51 11.0.0.6 GET /portal/js/vendor/jquery.cookie.min.js - 444 - 103.15.254.29 Mozilla/5.0+(Windows+NT+11.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/56.0.2924.87+Safari/537.36 https://ace.centralus.cloudapp.azure.com:444/ 200 0 0 265\r","type":"iis-w3c","cs-username":"-","time-taken":265,"tags":["iis-geoip"],"cs":["Mozilla/5.0+(Windows+NT+11.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/56.0.2924.87+Safari/537.36","https://ace.centralus.cloudapp.azure.com:444/"],"path":"C:/ElasticProducts/iis.log","@timestamp":"2017-02-16T14:56:51.000Z","response":200,"s-port":"444","sc-status":0,"@version":"1","host":"ace-2","c-ip":"103.15.254.29"}]}
org.elasticsearch.index.mapper.MapperParsingException: failed to parse
at org.elasticsearch.index.mapper.DocumentParser.wrapInMapperParsingException(DocumentParser.java:175) ~[elasticsearch-5.2.0.jar:5.2.0]

image.png1366×768 96.1 KB

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.