The "sonic-traffic" index pattern does not contain any of the following field types: geo_point

legolas_bilbao · February 14, 2018, 5:15pm

Good morning,

I've come back to test Elasticsearch and its works like i like but the option of geoip doesnt work.

Logstash filter file

if [type]=="sonicwall"{

             kv {
                    exclude_keys => [ "c", "id", "m", "n", "pri" ]
            }
            grok {
                    match => [ "src", "%{IP:srcip}:%{NUMBER:srcPort}:(?<srcInterfaz>X[0-9][-]V[0-9]{1,3}|X[0-9])" ]
            }
            grok {
                    match => [ "dst", "%{IP:dstip}:%{NUMBER:dstPort}:(?<dstInterfaz>X[0-9][-]V[0-9]{1,3}|X[0-9])" ]
            }
    }
    geoip {
             source => "dstip"
             add_tag => [ "DSTgeoip" ]
             add_field => [ "[DSTgeoip][coordinates]", "%{[geoip][longitude]}"]
             add_field => [ "[DSTgeoip][coordinates]", "%{[geoip][latitude]}" ]
          }

Template

"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}

Going to the kibana index

compare with the tutorial in the tutorial coordinates appears between and in my model no.

any idea what im doing wrong?

magnusbaeck · February 18, 2018, 2:10pm

Your index template configures [geoip][location] to be a geo_point field. If you want [DSTgeoip][coordinates] to be a geo_point field you need to adjust your template accordingly.

system · March 18, 2018, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.