Hi folks!
Just think about any chance how to perform visualization over the wordlmap in case I've manipulate with domain name or internal ip?
Any mechanism to do that?
Creating geoip data for internal networks is the best way I have seen to do this 
1 Like
Awesome, thanks!
, but still get an issue with mapping type:
{ "proc-events-2017.09.30": { "aliases": {}, "mappings": { "proc-events": { "properties": { "@timestamp": { "type": "date" }, "geoip": { "properties": { "location": { "type": "float" }, ... }
How to change correctly, 'location' mapping to be a 'geo_point' type by default, or at least change it after?
in conf.d/proc:
...
geoip {
source => "src_ip"
target => "geoip"
}
if [src_ip] =~ /^10.51.4/ or [src_ip] =~ /^10.51.5/ or [src_ip] =~ /^10.51.6/ {
mutate { replace => { "[geoip][timezone]" => "Pacific" } }
mutate { replace => { "[geoip][reg]" => "us" } }
mutate { remove_field => [ "[geoip][location]" ] }
mutate { add_field => { "[geoip][location]" => "-121.867905" } }
mutate { add_field => { "[geoip][location]" => "37.279518" } }
mutate { convert => [ "[geoip][location]", "float" ] }
mutate { replace => { "[geoip][latitude]" => 37.279518 } }
mutate { convert => [ "[geoip][latitude]", "float" ] }
mutate { replace => { "[geoip][longitude]" => -121.867905 } }
mutate { convert => [ "[geoip][longitude]", "float" ] }
}
...
, but in case of put it as:
mutate { convert => [ "[geoip][location]", "geo_point" ] }
got an error
in my output:
...
manage_template => false
...
What's the mapping on the field show?
"geoip": {
"properties": {
"location": {
"type": "float"
},
The case is fixed with separate template creation and assignment to upcoming indexes.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.