Template mapping examples not clear for geoip

CharlieBrown · January 25, 2019, 11:31pm

I have tried searching the web for answers but lately it seems that most search engines return completely unrelated results. Therefore I registered so I can ask real people for some help.

The instructions here: https://www.elastic.co/blog/logstash_lesson_elasticsearch_mapping

Are great up to the point where i have a .json file that is improperly formatted. Without an example of a complete mapping I can't seem to fit those code snippets in the proper order with correct syntax. In short, it's unclear to me how to copy/pasta those examples into a valid .json file.

Curl fails with :
{
"error": {
"reason": "request body is required",
"root_cause": [
{
"reason": "request body is required",
"type": "parse_exception"
}
],
"type": "parse_exception"
},
"status": 400
}

all I really want to do at this point is set the data type for the location or geopoint field which as I understand is a concatenation of lat/long.

If anyone can point me in the right direction I would really appreciate the help. Also, I apparently have a lot to learn about json format so any pointers there would be great too.

Thanks!

Badger · January 26, 2019, 1:14am

This thread might help.

CharlieBrown · January 28, 2019, 5:30pm

Thank you Badger! That did in fact work to create the mapping to data type however, my field (geoip.coordinates) which is a concatenation of geoip.latitude and geoip.longitude is not .

I will keep stumbling through it. My IQ is just too low to be messing with this. I guess Burger King needs some janitors.

Thank you for your response Badger ;-D

Badger · January 28, 2019, 5:36pm

Can you call your field just "geoip"? That field is mapped as a geo_point by the default mapping.

CharlieBrown · January 28, 2019, 5:48pm

I changed it to the following:

  geoip {
     source => "clientip"
     target => "geoip"

add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_tag => [ "apache-geoip" ]
}

I say the field is "geoip.coordinates" because that's how the two lat/long points "merged" into one field (named geoip.coordinates)

Can you tell anything from this filter rule in logstash/conf.d/12-apache_filter.conf ?

CharlieBrown · January 28, 2019, 5:55pm

Maybe this is working now. I have a field named geoip.location and it's now being populated with coordinates like so:

{
"lon": -97.822,
"lat": 37.751
}

This may be what I've been looking for. Thank you for your help Badger!

system · February 25, 2019, 5:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can Anyone tell each and every step of how to use geoIP with logstash and kibana? Logstash	12	1920	October 24, 2017
Geoip: How to map any index to a template? Logstash	2	574	July 13, 2017
Exactly - how to map geoip.location to geo_point- WTF! Elasticsearch	6	2919	January 10, 2017
No geo_point fields logstash 6 Logstash	28	6911	March 3, 2018
Mapping Issues With GeoIP Logstash	6	534	February 27, 2018

Template mapping examples not clear for geoip

Related topics