After upgrading the ELK stack to 8.2 my logstash configuration file where i have defined the filters for logstash-filter-geoip have changed some key names , like victimASN.as_org is now coming as victimASN.as.organization.name . Though from kibana I can give the alternate name to the keys but still my previous visualization have stopped working and showing the error as :
Could not locate that data view (id: 55cac390-014e-11ea-95b2-770559be5cdf), [click here to re-create it]
In Logstash 8, all plugins are run in ECS compatibility v8 mode by default.
You can set on level:
Plugin
filter {
geoip {
source => "[host][ip]"
ecs_compatibility => disabled
}
}
Pipeline:
pipeline.ecs_compatibility: v8
You can set to values: disabled, v1 or v8
Thanks, doing this has solved the problem. Though I have set it from the logstash.yml file (pipeline. ecs_compatibility => disabled)
pipeline. ecs_compatibility => disabled will set value as default to all in .conf file
geoip { source => "[host][ip]" ecs_compatibility => disabled } will set only for that param
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.