Missing Geo_point field in geohash aggregate -! Kibana 4.5


(Bob Metelsky) #1

Guys, having a heck of a time creating a simple tile map

all files and configuration are here
https://sites.google.com/site/developtroubleshooting/elastic-geoip

Im having a presentation tomorrow and I need to get a tile map by location.

Under allot of pressure to make this work

Thanks
Bob


(Anh) #2

Try replacing your geoip filter in Logstash config

 geoip {
      source => "clientip"
      target => "geoip"
      database => "/etc/logstash/conf.d/GeoLiteCity.dat"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    }
    mutate {
      convert => [ "[geoip][coordinates]", "float"]
    }

with this config

geoip {
            source => "clientip"
            target => "geoip"
}

Your mapping is ok so far, but you may have to delete existing indexes if you see field conflict error.

Start to send logs to Logstash again, and if you see something like this in the stdout, the geoip.location can be used in your Tile map.

geoip.location: [-78.1704, 38.71629999999999]

Make sure that geoip.location is mapped as geo_point in your index.


(Anh) #3

Actually, your config seems to work too, as I see the geoip.location field contains appropriate data

"location" => [
            [0] -96.7885,
            [1] 39.08879999999999
        ]

However, the mapping for that field in Elasticsearch according to your link is number. It should be geo_point.


(Bob Metelsky) #4

Hi Appreciate the help...

Made the suggested changes to the logstash.conf file, getting the same error

I get the geoip.location

better data :slight_smile: same error...

see error image, new conf file and output file
https://sites.google.com/site/developtroubleshooting/elastic-geoip/mapping2


(Bob Metelsky) #5

Hi - Also Im not sure what you mean with this...

"Make sure that geoip.location is mapped as geo_point in your index"

How is that done?


(Bob Metelsky) #6

Also not sure what you mean with this...
"Make sure that geoip.location is mapped as geo_point in your index"
How is that done?


(Anh) #7

I think the issue is that the mappings you specify in your elasticsearch-output-plugin, which is template => "/etc/logstash/conf.d/elasticsearch-apache-weblogs-geoip.json" is not applied to your index named bob

Please try again with this output config for Logstash

output {
stdout { codec => rubydebug }
  elasticsearch {
    index => "apache-weblogs-geoip2"
    hosts => ["t400:9200"]
    manage_template => true
    template => "/etc/logstash/conf.d/elasticsearch-apache-weblogs-geoip.json"
    template_name => "apache-weblogs-geoip"
  }
}

I believe your are on Elasticsearch 2.x. If so, you can install the Kopf plugin https://github.com/lmenezes/elasticsearch-kopf to your elasticsearch to add and manage index mapping templates. More about mappings https://www.elastic.co/guide/en/elasticsearch/guide/current/mapping-intro.html.

Your current mapping for geo.location is number

but it is supposed to be geo_point like this


(Anh) #8

I wrote this guide about geoip a while ago http://www.secureict.info/2015/11/process-netflow-with-nprobe-and_20.html. I hope it clarifies about mapping geo_point fields.


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.