Kibana tilemap not showing any results

PCO · May 26, 2016, 3:25pm

Hi there,

I have an ELK stack running correctly without geo data.

I started to add a new kind of data with geo data and unfortunately I can not visualize any data.

Logstash receives data from filebeat (data source is a log file)
I created a new template for ES on logstash side
I was able to add a new index pattern in Kibana and my "location" field appears as "geo_point" type
I can see data in the discover section and the location field contains correct values
In visualize section, the only possible choice in Aggregation is 'Geohash' and the field contains the location value but I only get a "no results found" message instead of the tile map.

Versions

Logstash 2.1.3
Kibana 4.3.0
ES 2.1.0

Logstash filter

mutate {
add_field => {
"[location][lat]" => "%{lat}"
"[location][lon]" => "%{lon}"
}
}
mutate {
convert => {
"[location][lat]" => "float"
"[location][lon]" => "float"
}
}

Template definition

{
"template":"elk-xxx-status-geo-*",
"settings":{
"index.refreshinterval":"5s"
},
"mappings": {
"elk-xxx": {
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
}

Here is an event in ES (displayed through Kibana)

{
"_index": "elk-xxx-status-geo-2016.05.26",
"_type": "xxx-msg-status",
"_id": "AVTtoVu0MqnIx4T11oGX",
"_score": null,
"_source": {
"message": ""26/05/16-17:14:01 RSP-G UPDATE 47.5611 -1.1867"",
"@version": "1",
"@timestamp": "2016-05-26T15:14:08.450Z",
"beat": {
"hostname": "elk-yyy",
"name": "elk-yyy"
},
"count": 1,
"fields": null,
"input_type": "log",
"offset": 210417,
"source": "/var/log/xxx/filebeat-input-status.log",
"type": "xxx-msg-status",
"host": "elk-yyy",
"tags": [
"beats_input_codec_plain_applied"
],
"msgdate": "26/05/16-17:14:01",
"device": "RSP-G",
"status": "UPDATE",
"lat": "47.5611",
"lon": "-1.1867",
"msgtype": "status",
"location": {
"lat": 47.5611,
"lon": -1.1867
}
},
"fields": {
"@timestamp": [
1464275648450
]
},
"sort": [
1464275648450
]
}

warkolm · May 26, 2016, 11:22pm

You need a single field like;

"location": {
[ "47.5611", "-1.1867"]
}

PCO · May 27, 2016, 8:42am

would you mind to share your template & filter syntax ?

(the syntax you are using does not seem to be one of the 3 documented )

warkolm · May 28, 2016, 12:55am

You are right, I shouldn't have the quotes in there - https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

PCO · June 9, 2016, 3:08pm

I am still trying to fix this but with no luck ;-(

When I perform manual requests, I can get results for "location.lat" and "location.lon" fields but nothing for "location", that's strange no ?

curl -XPOST @:port/elk-xxx-geoloc-2016.06.09/_search?pretty -d '{"from":0,"size":1,"sort":{"_score":{"order":"asc"}},"fields":["location.lat"],"explain":false}:'

{
  "took" : 12,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "failed" : 0
  },
  "hits" : {
    "total" : 25,
    "max_score" : null,
    "hits" : [ {
      "_index" : "elk-xxx-geoloc-2016.06.09",
      "_type" : "xxx-msg-geoloc",
      "_id" : "AVU1nBLAJrc3WfM_96XR",
      "_score" : 1.0,
      "fields" : {
        "location.lat" : [ 48.5364 ]
      },
      "sort" : [ 1.0 ]
    } ]
  }
}

curl -XPOST @:port/elk-xxx-geoloc-2016.06.09/_search?pretty -d '{"from":0,"size":1,"sort":{"_score":{"order":"asc"}},"fields":["location.lon"],"explain":false}:'
{
  "took" : 10,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "failed" : 0
  },
  "hits" : {
    "total" : 26,
    "max_score" : null,
    "hits" : [ {
      "_index" : "elk-xxx-geoloc-2016.06.09",
      "_type" : "xxx-msg-geoloc",
      "_id" : "AVU1nBLAJrc3WfM_96XR",
      "_score" : 1.0,
      "fields" : {
        "location.lon" : [ -1.7748 ]
      },
      "sort" : [ 1.0 ]
    } ]
  }
}

curl -XPOST @:port/elk-xxx-geoloc-2016.06.09/_search?pretty -d '{"from":0,"size":1,"sort":{"_score":{"order":"asc"}},"fields":["location"],"explain":false}:'
{
  "took" : 14,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "failed" : 0
  },
  "hits" : {
    "total" : 26,
    "max_score" : null,
    "hits" : [ {
      "_index" : "elk-xxx-geoloc-2016.06.09",
      "_type" : "xxx-msg-geoloc",
      "_id" : "AVU1nBLAJrc3WfM_96XR",
      "_score" : 1.0,
      "sort" : [ 1.0 ]
    } ]
  }
}