Template with order 1 not applied

Melpheos · January 6, 2017, 4:35pm

I am desesperatly trying to get elasticsearch indexing some field in geo_point format but my template is ignored
Data comes from our fortigate firewall and i'm receiving all the geoip information properly in elasticsearch as expected but *.location is not indexed as geo_point

I'm using the following template and according to the documentation it should be applied last

As you can see there is nothing special about it and it should apply to all index with logstash-* but that's not the case. I have tried with template: "*" with the same result.
I have also tried to add default but then the PUT command gets lots of error and can't parse it.
We are using the latest version of logstash/ES.

If anyone has an idea of what i'm doing wrong but i'm struggling with that for days now without any progress :-/

Melpheos · January 9, 2017, 12:45pm

Finaly managed to have it working as i wish and i now have the proper mapping working.
For some reason the mapping would not apply so i had to create a new _template with the following

{
"logstash-": {
"order": 0,
"version": 50001,
"template": "logstash-",
"settings": {
"index": {
"refresh_interval": "5s"
}
},
"mappings": {
"default": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"_all": {
"norms": false,
"enabled": true
},
"properties": {
"tra_geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"dst_geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@timestamp": {
"include_in_all": false,
"type": "date"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"include_in_all": false,
"type": "keyword"
},
"src_geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
}
}
}
},
"aliases": {}
}
}

Request can be closed. Hope this will help some people

system · February 6, 2017, 12:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.