Hi
I try to get two geoip lookups working. Found target option in the mangpages. But now I'm stuck with the elastic template. It seems that the mapping from json template is not applied.
"mappings":{
"properties":{
"ip_src": {
"type": "object",
"dynamic": true,
"properties": {
"location" : { "type": "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" },
"ip" : { "type" : "ip" }
}
},
"ip_dst": {
"type": "object",
"dynamic": true,
"properties": {
"location" : { "type": "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" },
"ip" : { "type" : "ip" }
}
},
my filter in logstash looks like this
if "" in [ipto] {
geoip {
source => "ipto"
target => "ip_dst"
}
mutate {
replace => [ "type", "connection" ]
}
}
if "" in [ipfrom] {
geoip {
source =>"ipfrom"
target => "ip_src"
}
mutate {
replace => [ "type", "connection" ]
}
}
and the relevant part from output
if [type] == "connection" {
elasticsearch {
index => "connection-%{+YYYY.MM.dd}"
hosts => "localhost:9200"
manage_template => true
template_overwrite => true
template => "/etc/logstash/config/templates/connection.json"
template_name => "connection"
}
}
I deleted the template from elastic and installed it again to be sure. But this does not work in my case. The fields are always mapped as wrong type (ex ip_src.ip is of type string and ip_src.location is not present at all). I have other indices where I use geoip without target and there it works fine with all mappings
Any idea what I'm missing? Thanks for any help