Template mapping examples not clear for geoip

CharlieBrown · January 25, 2019, 11:31pm

I have tried searching the web for answers but lately it seems that most search engines return completely unrelated results. Therefore I registered so I can ask real people for some help.

The instructions here: https://www.elastic.co/blog/logstash_lesson_elasticsearch_mapping

Are great up to the point where i have a .json file that is improperly formatted. Without an example of a complete mapping I can't seem to fit those code snippets in the proper order with correct syntax. In short, it's unclear to me how to copy/pasta those examples into a valid .json file.

Curl fails with :
{
"error": {
"reason": "request body is required",
"root_cause": [
{
"reason": "request body is required",
"type": "parse_exception"
}
],
"type": "parse_exception"
},
"status": 400
}

all I really want to do at this point is set the data type for the location or geopoint field which as I understand is a concatenation of lat/long.

If anyone can point me in the right direction I would really appreciate the help. Also, I apparently have a lot to learn about json format so any pointers there would be great too.

Thanks!

Badger · January 26, 2019, 1:14am

This thread might help.

CharlieBrown · January 28, 2019, 5:30pm

Thank you Badger! That did in fact work to create the mapping to data type however, my field (geoip.coordinates) which is a concatenation of geoip.latitude and geoip.longitude is not .

I will keep stumbling through it. My IQ is just too low to be messing with this. I guess Burger King needs some janitors.

Thank you for your response Badger ;-D

Badger · January 28, 2019, 5:36pm

Can you call your field just "geoip"? That field is mapped as a geo_point by the default mapping.

CharlieBrown · January 28, 2019, 5:48pm

I changed it to the following:

  geoip {
     source => "clientip"
     target => "geoip"

add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_tag => [ "apache-geoip" ]
}

I say the field is "geoip.coordinates" because that's how the two lat/long points "merged" into one field (named geoip.coordinates)

Can you tell anything from this filter rule in logstash/conf.d/12-apache_filter.conf ?

CharlieBrown · January 28, 2019, 5:55pm

Maybe this is working now. I have a field named geoip.location and it's now being populated with coordinates like so:

{
"lon": -97.822,
"lat": 37.751
}

This may be what I've been looking for. Thank you for your help Badger!

system · February 25, 2019, 5:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.