Location field from index is not mapped to location geo_point at template

themoisis · September 21, 2017, 1:30pm

Hi,

I have an index named 'nginx_access*' and a template named nginx_access*. The tamplate is modified to tell elastic search how to parse indexes geo fields. SO, my template has at some point:

          "dma_code" : { "type" : "short" },
          "ip" : { "type" : "ip" },
          "latitude" : { "type" : "half_float" },
          "location" : { "type" : "geo_point" },
          "longitude" : { "type" : "half_float" },

However, the json from my 'nginx_access*' index which corresponds to an nginx log has the following regarding geoip:

"geoip": {
"city_name": "Athens",
"timezone": "Europe/Athens",
"ip": "94.64.92.16",
"latitude": 37.9833,
"country_name": "Greece",
"country_code2": "GR",
"continent_code": "EU",
"country_code3": "GR",
"region_name": "Attica",
"location": {
"lon": 23.7333,
"lat": 37.9833
},

Consequently, i cannot plot any coordinate map in kibana, as i'm getting "The "nginx_access*" index pattern does not contain any of the following field types: geo_point "

Also, my logstash.conf regrding nginx is the following:

 mutate { replace => { type => "nginx_access" } }

 grok {
    match => [ "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}"]
    overwrite => [ "message" ]
 }

 mutate {
    convert => ["response", "integer"]
    convert => ["bytes", "integer"]
    convert => ["responsetime", "float"]
 }

 geoip {
    source => "clientip"
}

Any help would be appreciated.Thanks

themoisis · September 21, 2017, 1:49pm

OK, guys, just worked. Something was messing with the template name, that i created in elastic search or i had to delete ild index and create again the index in kibana. So, I submitted again the template from the console in dev tools from kibana.

 PUT _template/nginx_access
{
  "template" : "nginx_access*",
  "version" : 50001,
  "settings" : {
    "index.refresh_interval" : "5s"
  },
  "mappings" : {
    "_default_" : {
        "properties" : {
          "@timestamp" : {
            "type" : "date"
          },
          "@version" : {
            "type" : "text",
   .......
     
        "dma_code" : { "type" : "short" },
          "ip" : { "type" : "ip" },
          "latitude" : { "type" : "half_float" },
          "location" : { "type" : "geo_point" },
          "longitude" : { "type" : "half_float" },
     ........

Then, i deleted my old index 'nginx_access*' and i created a new one with the same name in kibana. New log lines are comming in elastic search now with geoip.location interpreted as a geo_point, and as a result, I can visulize the coordinates in kibana map. Thanks.

warkolm · September 22, 2017, 6:46am

That's important, cause it tells the template to match index names beginning with that name

system · October 20, 2017, 6:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.