Problem with geoip.location field conflict

ruby · February 1, 2017, 8:55am

hello,

I am facing an issue with the geoip.location.

This is the error screen shot

The filebeat indexed template is

{
  "mappings": {
    "_default_": {
      "_all": {
        "enabled": true,
        "norms": {
          "enabled": false
        }
      },
      "dynamic_templates": [
        {
          "template1": {
            "mapping": {
              "doc_values": true,
              "ignore_above": 1024,
              "index": "not_analyzed",
              "type": "{dynamic_type}"
            },
            "match": "*"
          }
        }
      ],
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "message": {
          "type": "string",
          "index": "analyzed"
        },
        "offset": {
          "type": "long",
          "doc_values": "true"
        },
        "geoip"  : {
          "dynamic": true,
          "properties" : {
            "location" : { "type" : "geo_point" }
          }
        }
      }
    }
  },
  "settings": {
    "index.refresh_interval": "5s"
  },
  "template": "filebeat-*"
}

cjcenizal · February 1, 2017, 11:44pm

Hi there,

I think you have a mapping conflict. Can you click the "Edit" icon for the field to see the types it's being mapped to for each index? To solve this problem, you'll have to re-index the data that's not actually a geo_point type.

Does this help? Also, you might try cross-posting in the Beats forum if you have further Beats-related questions.

Thanks,
CJ

andrewkroh · February 1, 2017, 11:55pm

In addition you might want to consider using the standard template that is provided by Filebeat and then "layer" on an additional template for the geoip field like:

PUT _template/filebeat-1
{
  "order": 1,
  "template": "filebeat-*",
  "mappings": {
    "_default_": {
      "properties": {
        "geoip"  : {
          "properties" : {
            "location" : { "type" : "geo_point" }
          }
        }
      }
    }
  }
}

Re-indexing is covered here. Basically you find the indices that aren't using the geo_point type and reindex them, then delete the old index. Like

POST _reindex
{
  "source": {
    "index": "filebeat-2017.01.12"
  },
  "dest": {
    "index": "filebeat-2017.01.12a"
  }
}

Then once the operation is successful you can delete the old index. Then refresh the kibana mapping and the conflicts should be resolved.

system · March 1, 2017, 11:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.