Logstash Data not visible on coordinate map

Venkatesan_S_Venkate · June 23, 2018, 6:33am

I created the .conf file and executed through the log stash. It filters using the geo ip.

It creates the data according to requirement.

When I open Kibana and try to visualise in the coordinate map it is not visible even after choosing location in geopoint. I created the template on the console for the index eve then it is not visible.

When I try to create an index through console and visualise the map then it shows in the map.

I could not figure out the problem

Christian_Dahlqvist · June 23, 2018, 6:38am

Can you share the mappings and structure of the indices you are talking about?

Venkatesan_S_Venkate · June 23, 2018, 6:41am

Template

PUT /_template/template_name
{
"order": 0,
"index_patterns": "logstash*",
"settings": {},
"mappings": {
"default": {
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}

conf file

input {
file {

type => "geo_point"

path => "/Users/iiita/elk/example/aa.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
}

stdin {}

}
filter {

     csv {

            separator => ","
         columns => ["HostIP"]
     }
     geoip{
         source => "HostIP"

     }

}

output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => ["logstash-venkat"]
}
stdout{
codec => rubydebug
}
}

Christian_Dahlqvist · June 23, 2018, 6:43am

The geoip plugin stores the location in geoip.location and not just location which what you have specified in your mapping. Get the mapping from the actual index (not the template) and check what the mapping for the relevant fields are.

Venkatesan_S_Venkate · June 23, 2018, 6:50am

can you tell me the way to write mapping the in actual index. when i write in the index mapping on the console it shows type already there

Christian_Dahlqvist · June 23, 2018, 6:55am

What does the actual mapping look like?

Venkatesan_S_Venkate · June 23, 2018, 6:56am

PUT logstash-venkat/_mapping/my_type
{
"my_type": {
"properties": {
"geoip.location": {
"type": "geo_point"
}
}
}
}

Venkatesan_S_Venkate · June 23, 2018, 6:58am

PUT logstash-venkat
{
"mappings": {
"doc": {
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}

Message

#! Deprecation: [default] mapping is deprecated since it is not useful anymore now that indexes cannot have more than one type
{
"acknowledged": true,
"shards_acknowledged": true,
"index": "logstash-venkat"
}

Christian_Dahlqvist · June 23, 2018, 6:59am

Which version of Elasticsearch are you using?

Venkatesan_S_Venkate · June 23, 2018, 6:59am

6.3.0

Christian_Dahlqvist · June 23, 2018, 7:11am

That looks potentially incorrect. Set the mapping like this:

PUT logstash-venkat/_mapping/my_type
{
  "properties": {
    "geoip": {
      "properties": {
        "location": {
          "type": "geo_point"
        }
      }
    }
  }
}

Venkatesan_S_Venkate · June 23, 2018, 7:22am

Following error comes out

{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "Rejecting mapping update to [logstash-venkat] as the final mapping would have more than 1 type: [logs, my_type]"
}
],
"type": "illegal_argument_exception",
"reason": "Rejecting mapping update to [logstash-venkat] as the final mapping would have more than 1 type: [logs, my_type]"
},
"status": 400
}

Christian_Dahlqvist · June 23, 2018, 7:23am

Yes, you can not change the mapping of an existing index, so will need to drop and recreate it.

Venkatesan_S_Venkate · June 23, 2018, 7:31am

PUT logstash-venkat

PUT logstash-venkat/_mapping/my_type
{
"properties": {
"geoip": {
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}

this works fine

when I ran bin/logstash -f logstash-venkat.conf

this gives the problem.

If I first run bin/logstash -f logstash-venkat.conf
it works fine.

afterwards when I run the second mapping then it shows error.

Venkatesan_S_Venkate · June 23, 2018, 8:13am

Now I got this error

{
"error": {
"root_cause": [
{
"type": "illegal_argument_exception",
"reason": "mapper [geoip.location] of different type, current_type [float], merged_type [geo_point]"
}
],
"type": "illegal_argument_exception",
"reason": "mapper [geoip.location] of different type, current_type [float], merged_type [geo_point]"
},
"status": 400
}

Christian_Dahlqvist · June 23, 2018, 8:28am

Stop indexing, delete and recreate the index with the correct mapping and the restart indexing. Or even better - create an index template with the correct mapping so it is automatically applied when a new index is created.

Venkatesan_S_Venkate · June 23, 2018, 10:25am

I got it after creating the following template

PUT _template/logstash
{
"index_patterns": "logstash-*",
"settings": {
"number_of_replicas": 1,
"number_of_shards": 2
},
"mappings": {
"log": {
"dynamic": "true",
"properties": {
"geoip": {
"dynamic": true,
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}
}
}

system · July 21, 2018, 10:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.