Kibana tilemap not showing any results

Elastic Stack Kibana
1

Hi there,

I have an ELK stack running correctly without geo data.

I started to add a new kind of data with geo data and unfortunately I can not visualize any data.

  • Logstash receives data from filebeat (data source is a log file)
  • I created a new template for ES on logstash side
  • I was able to add a new index pattern in Kibana and my "location" field appears as "geo_point" type
  • I can see data in the discover section and the location field contains correct values
  • In visualize section, the only possible choice in Aggregation is 'Geohash' and the field contains the location value but I only get a "no results found" message instead of the tile map.

Versions

Logstash 2.1.3
Kibana 4.3.0
ES 2.1.0

Logstash filter

mutate {
add_field => {
"[location][lat]" => "%{lat}"
"[location][lon]" => "%{lon}"
}
}
mutate {
convert => {
"[location][lat]" => "float"
"[location][lon]" => "float"
}
}

Template definition

{
"template":"elk-xxx-status-geo-*",
"settings":{
"index.refreshinterval":"5s"
},
"mappings": {
"elk-xxx": {
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
}

Here is an event in ES (displayed through Kibana)

{
"_index": "elk-xxx-status-geo-2016.05.26",
"_type": "xxx-msg-status",
"_id": "AVTtoVu0MqnIx4T11oGX",
"_score": null,
"_source": {
"message": ""26/05/16-17:14:01 RSP-G UPDATE 47.5611 -1.1867"",
"@version": "1",
"@timestamp": "2016-05-26T15:14:08.450Z",
"beat": {
"hostname": "elk-yyy",
"name": "elk-yyy"
},
"count": 1,
"fields": null,
"input_type": "log",
"offset": 210417,
"source": "/var/log/xxx/filebeat-input-status.log",
"type": "xxx-msg-status",
"host": "elk-yyy",
"tags": [
"beats_input_codec_plain_applied"
],
"msgdate": "26/05/16-17:14:01",
"device": "RSP-G",
"status": "UPDATE",
"lat": "47.5611",
"lon": "-1.1867",
"msgtype": "status",
"location": {
"lat": 47.5611,
"lon": -1.1867
}
},
"fields": {
"@timestamp": [
1464275648450
]
},
"sort": [
1464275648450
]
}

2

You need a single field like;

"location": {
[ "47.5611", "-1.1867"]
}
3

would you mind to share your template & filter syntax ?

(the syntax you are using does not seem to be one of the 3 documented )

4

You are right, I shouldn't have the quotes in there - https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

5

I am still trying to fix this but with no luck ;-(

When I perform manual requests, I can get results for "location.lat" and "location.lon" fields but nothing for "location", that's strange no ?

curl -XPOST @:port/elk-xxx-geoloc-2016.06.09/_search?pretty -d '{"from":0,"size":1,"sort":{"_score":{"order":"asc"}},"fields":["location.lat"],"explain":false}:'

{
  "took" : 12,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "failed" : 0
  },
  "hits" : {
    "total" : 25,
    "max_score" : null,
    "hits" : [ {
      "_index" : "elk-xxx-geoloc-2016.06.09",
      "_type" : "xxx-msg-geoloc",
      "_id" : "AVU1nBLAJrc3WfM_96XR",
      "_score" : 1.0,
      "fields" : {
        "location.lat" : [ 48.5364 ]
      },
      "sort" : [ 1.0 ]
    } ]
  }
}

curl -XPOST @:port/elk-xxx-geoloc-2016.06.09/_search?pretty -d '{"from":0,"size":1,"sort":{"_score":{"order":"asc"}},"fields":["location.lon"],"explain":false}:'
{
  "took" : 10,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "failed" : 0
  },
  "hits" : {
    "total" : 26,
    "max_score" : null,
    "hits" : [ {
      "_index" : "elk-xxx-geoloc-2016.06.09",
      "_type" : "xxx-msg-geoloc",
      "_id" : "AVU1nBLAJrc3WfM_96XR",
      "_score" : 1.0,
      "fields" : {
        "location.lon" : [ -1.7748 ]
      },
      "sort" : [ 1.0 ]
    } ]
  }
}

curl -XPOST @:port/elk-xxx-geoloc-2016.06.09/_search?pretty -d '{"from":0,"size":1,"sort":{"_score":{"order":"asc"}},"fields":["location"],"explain":false}:'
{
  "took" : 14,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "failed" : 0
  },
  "hits" : {
    "total" : 26,
    "max_score" : null,
    "hits" : [ {
      "_index" : "elk-xxx-geoloc-2016.06.09",
      "_type" : "xxx-msg-geoloc",
      "_id" : "AVU1nBLAJrc3WfM_96XR",
      "_score" : 1.0,
      "sort" : [ 1.0 ]
    } ]
  }
}