Moved from 7.x to 8.x ... Maps stopped working

Elastic Stack Logstash
1

Hi!

I'm really stuck with this new geo_point stuff.
I have also read about disabling ECS compatibility mode on my pipeline but... I would rather learn the propper way to do thing from now ownwards. So, this is the updated geoip pipeline lines that are (still) working:

		if [clientip]  {
			geoip {
				source => "clientip"
				target => "source"
				#add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
				#add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                add_field => [ "[geoip][coordinates]", "%{[source][geo][location][lon]}" ]
                add_field => [ "[geoip][coordinates]", "%{[source][geo][location][lat]}" ]
				id => "icecast2GeoIP"
			}
			mutate {
				convert => [ "[geoip][coordinates]", "float" ]
				id => "icecast2GeoIPMutate"
			}
		}

I have noticed all my 'geo' information land now under source. field, including a pair of numeric 'lat' and 'lon' fields under source.geo.location.
So far, so good...
But my kibana maps find any useable geopoint data to use.

My guess is that I need to 'assemble' a geo_point field here... I feel its close, since data is there on the documents, but I'm failing to figure out how.

Could anyone point me out the way to do that?

Thanks.
Cheers.

Alejandro.

2

I don't think so. From what I can see the default ECS V8 template maps [source][geo][location] as a geo_point. If it is not a geo_point then you are probably not using that template.

Take a look at your mapping and see what you need to change there. Note that changes to the template are only applied when a new index is created.

This is not something to fix in logstash. You don't need to worry about converting strings into floats -- elasticsearch will do that for you if it knows the field is a geo_point.