Template Creation for type geo_point in logstash

Elastic Stack Logstash
1

Hi,

I have a csv file which contains Latitude_(A),Longitude_(A),Latitude_(B),Longitude_(B) fields. I want to use this data to put on coordinate map in Kibana.

I tried with following configuration:
mutate {
convert => { "Latitude_(A)" => "float" }
convert => { "Longitude_(A)" => "float" }
convert => { "Latitude_(B)" => "float" }
convert => { "Longitude_(B)" => "float" }
}

  mutate {
      rename => {
          "Latitude_(A)" => "[location][lat]"
          "Longitude_(A)" => "[location][lon]"
           "Latitude_(B)" => "[location][lat]"
          "Longitude_(B)" => "[location][lon]"
      }
  }

I tried to create a template for converting this to geo_point , like below:

"location" : { "type": "geo_point"}.

But I am not sure how to exactly use this template. Where should I keep this template?

Thanks,

2

That's not valid, you will need two geopoint fields if you have two sets of coordinates. Otherwise it just over writes the first set.

3

Thanks Mark for responding. Yes, I just checked in Kibana and it is overriding the previous one. Can you please help me out to setting up this? How can we provide two geopoint fields?

Thanks,

4

Create another mutate + rename for the second location and you should be fine.

5

Thanks Mark, after putting another block for mutate+rename I can see now both the pair of lat/long but still I am not able to see them on the co-ordinate map. I see the following error:

"The "mapdata" index pattern does not contain any of the following field types: geo_point"

Following is the snapshot for the lat/longs captured:

image
image.png940×450 15.5 KB

6

Ok great! Now let's make a change to the config;

mutate {
  add_field => [ "[location][coordinates]", "%{[location][lon]}" ]
  add_field => [ "[location][coordinates]", "%{[location][lat]}"  ]
}

This creates a single location.coordinates field, which Kibana needs.

Once you have that working we can look at the mapping.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.