Logstash 6.2.3 convert json values to GeoPoint Issue

Sajith_Vijesekara · September 29, 2018, 8:11am

Hi I am new to ELK so first I want to setup custom json file read using logstash. I want to show the customer locations in kibana map . This is the json format I want to convert.

{"id":1,"first_name":"Freeman","last_name":"Jowers","email":"fjowers0@mashable.com","gender":"Male","ip_address":"15.128.77.162","latitude":9.9004655,"longitude":13.0544185,"date":"2017-10-29T17:47:59Z","country":"Nigeria"}

This is the Configuration file I have used for logstash.

  filter { grok {
    match => ['message','(?<body>\"id\":.*\"country\":\"[^"]+\")']
    add_field => ["json_body","{%{body}}"]
  }
  json {
    source => "json_body"
    remove_field => ["message","body","json_body"]
  }
  mutate{
    add_field => ["[geoip][location]","%{[latitude]}"]
    add_field => ["[geoip][location]","%{[longitude]}"]
  }
  mutate{
    convert => ["[geoip][location]","float"]
  }
}

And the problem is in kibana geoip.location type shown as number . I need to show geoip.location as geo_point.

Can anyone give me the how to resolve this issue. I am using ELK 6.2.3

Thanks & Regards

magnusbaeck · October 3, 2018, 6:04pm

That grok filter seems like a generally bad idea (but it has nothing to do with your problem).

It's the index mappings that determine whether a field can become a geo point. What does your elasticsearch output configuration look like?

Sajith_Vijesekara · October 3, 2018, 6:08pm

Hi @magnusbaeck thanks for reply. Two days I was stuck this issue. This the full configuration file .

input {
  file{
    path => ["/home/sajith/Desktop/scripts/logstash-data/data-file.json"]
    type => "json"
    start_position => "beginning"
  }
}
filter {
  grok {
    match => ['message','(?<body>\"id\":.*\"country\":\"[^"]+\")']
    add_field => ["json_body","{%{body}}"]
  }
  json {
    source => "json_body"
    remove_field => ["message","body","json_body"]
  }
  mutate{
    add_field => ["[geoip][location]","%{[latitude]}"]
    add_field => ["[geoip][location]","%{[longitude]}"]
  }
  mutate{
    convert => ["[geoip][location]","float"]
  }
}
output {
  stdout {
    codec => rubydebug
  }
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "sample"
  }
}

magnusbaeck · October 3, 2018, 6:18pm

Your example would've worked if you'd used the default index name. When you chose the "sample" index name the index template that Logstash installs for you didn't apply. I think https://www.elastic.co/blog/geoip-in-the-elastic-stack should explain this.

Sajith_Vijesekara · October 3, 2018, 6:36pm

hi @magnusbaeck when I remove creating custom index it works . Is there any way to create custom index with geo_point data type. Anyway thanks for your help

magnusbaeck · October 3, 2018, 6:44pm

Is there any way to create custom index with geo_point data type.

Yes, I believe it's explained in the document I linked to earlier.

system · October 31, 2018, 6:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
JSON latitude/longitude to geo_point Elasticsearch	5	12500	July 5, 2017
Converting to geo_point Logstash	4	8571	April 26, 2018
Geo point in logstash Logstash	9	4337	March 6, 2017
Problem with storing coordinates as geo_point Logstash	1	514	February 10, 2017
Create geopoint data Logstash	5	5538	December 13, 2017

Logstash 6.2.3 convert json values to GeoPoint Issue

Related topics