Hi folks!
Just think about any chance how to perform visualization over the wordlmap in case I've manipulate with domain name or internal ip?
Any mechanism to do that?
Awesome, thanks!
, but still get an issue with mapping type:
{ "proc-events-2017.09.30": { "aliases": {}, "mappings": { "proc-events": { "properties": { "@timestamp": { "type": "date" }, "geoip": { "properties": { "location": { "type": "float" }, ... }
How to change correctly, 'location' mapping to be a 'geo_point' type by default, or at least change it after?
in conf.d/proc:
...
geoip {
source => "src_ip"
target => "geoip"
}
if [src_ip] =~ /^10.51.4/ or [src_ip] =~ /^10.51.5/ or [src_ip] =~ /^10.51.6/ {
mutate { replace => { "[geoip][timezone]" => "Pacific" } }
mutate { replace => { "[geoip][reg]" => "us" } }
mutate { remove_field => [ "[geoip][location]" ] }
mutate { add_field => { "[geoip][location]" => "-121.867905" } }
mutate { add_field => { "[geoip][location]" => "37.279518" } }
mutate { convert => [ "[geoip][location]", "float" ] }
mutate { replace => { "[geoip][latitude]" => 37.279518 } }
mutate { convert => [ "[geoip][latitude]", "float" ] }
mutate { replace => { "[geoip][longitude]" => -121.867905 } }
mutate { convert => [ "[geoip][longitude]", "float" ] }
}
...
, but in case of put it as:
mutate { convert => [ "[geoip][location]", "geo_point" ] }
got an error
in my output:
...
manage_template => false
...
What's the mapping on the field show?
"geoip": {
"properties": {
"location": {
"type": "float"
},
The case is fixed with separate template creation and assignment to upcoming indexes.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.