i've been working this weekend to enhance our net flow data being fed into ElasticSearch. I successfully setup log stash to publish geo ip data into my index (YAY!!!), but when I go to visualize in Kibana using a tile map i get "no results found" (boo).
here's a sample document:
{
"_index": "logstash-netflow-2015.11.14",
"_type": "logs",
"_id": "AVEG6NwNCPSzBia0_KOh",
"_score": null,
"_source": {
"@timestamp": "2015-11-14T16:53:54.455Z",
"netflow": {
"version": 5,
"flow_seq_num": 40141873,
"engine_type": 0,
"engine_id": 0,
"sampling_algorithm": 0,
"sampling_interval": 0,
"flow_records": 30,
"ipv4_src_addr": "74.122.204.3",
"ipv4_dst_addr": "192.168.100.71",
"ipv4_next_hop": "0.0.0.0",
"input_snmp": 5,
"output_snmp": 5,
"in_pkts": 1,
"in_bytes": 76,
"first_switched": "2015-11-14T16:53:49.455Z",
"last_switched": "2015-11-14T16:53:34.455Z",
"l4_src_port": 123,
"l4_dst_port": 123,
"tcp_flags": 0,
"protocol": 17,
"src_tos": 0,
"src_as": 0,
"dst_as": 0,
"src_mask": 0,
"dst_mask": 24
},
"@version": "1",
"host": "192.168.100.3",
"geo_ip": {
"ip": "74.122.204.3",
"country_code2": "US",
"country_code3": "USA",
"country_name": "United States",
"continent_code": "NA",
"region_name": "KS",
"city_name": "Lenexa",
"postal_code": "66219",
"latitude": 38.95060000000001,
"longitude": -94.7791,
"dma_code": 616,
"area_code": 913,
"timezone": "America/Chicago",
"real_region_name": "Kansas",
"location": [
-94.7791,
38.95060000000001
],
"coordinates": [
-94.7791,
38.95060000000001
]
}
},
"fields": {
"netflow.first_switched": [
1447520029455
],
"netflow.last_switched": [
1447520014455
],
"@timestamp": [
1447520034455
]
},
"highlight": {
"geo_ip.ip.raw": [
"@kibana-highlighted-field@74.122.204.3@/kibana-highlighted-field@"
],
"netflow.ipv4_src_addr.raw": [
"@kibana-highlighted-field@74.122.204.3@/kibana-highlighted-field@"
],
"geo_ip.ip": [
"@kibana-highlighted-field@74.122.204.3@/kibana-highlighted-field@"
],
"netflow.ipv4_src_addr": [
"@kibana-highlighted-field@74.122.204.3@/kibana-highlighted-field@"
]
},
"sort": [
1447520034455
]
}
The mapping for the index looks like this:
name type format analyzed indexed controls
_index string
Edit
geoip.location geo_point
Edit
@version string
Edit
_source _source
Edit
geo_ip.ip.raw string
Edit
netflow.first_switched date
Edit
netflow.ipv4_dst_addr.raw string
Edit
geo_ip.timezone string
Edit
geo_ip.longitude number
Edit
geo_ip.real_region_name string
Edit
geo_ip.latitude number
Edit
netflow.dst_as number
Edit
netflow.in_bytes number
Edit
geo_ip.real_region_name.raw string
Edit
host string
Edit
geo_ip.region_name string
Edit
netflow.sampling_interval number
Edit
geo_ip.location number
Edit
netflow.src_mask number
Edit
netflow.engine_id number
Edit
netflow.ipv4_next_hop.raw string
Edit
netflow.tcp_flags number
Edit
geo_ip.area_code number
Edit
geo_ip.timezone.raw string
Edit
netflow.flow_records number
Edit
geo_ip.postal_code.raw string
Edit
geo_ip.ip string
Edit
geo_ip.city_name string
Edit
netflow.l4_src_port number
Edit
netflow.engine_type number
Edit
netflow.src_tos number
Edit
netflow.version number
Edit
geo_ip.coordinates number
Edit
netflow.sampling_algorithm number
Edit
geo_ip.country_name string
Edit
geo_ip.continent_code string
Edit
geo_ip.country_code2 string
Edit
geo_ip.country_code3 string
Edit
netflow.dst_mask number
Edit
netflow.l4_dst_port number
Edit
geo_ip.country_name.raw string
Edit
netflow.flow_seq_num number
Edit
netflow.protocol number
Edit
netflow.output_snmp number
Edit
geo_ip.region_name.raw string
Edit
netflow.ipv4_src_addr.raw string
Edit
geo_ip.dma_code number
Edit
host.raw string
Edit
netflow.in_pkts number
Edit
netflow.last_switched date
Edit
geo_ip.country_code3.raw string
Edit
netflow.src_as number
Edit
netflow.ipv4_next_hop string
Edit
@timestamp date
Edit
geo_ip.continent_code.raw string
Edit
netflow.ipv4_dst_addr string
Edit
geo_ip.city_name.raw string
Edit
geo_ip.country_code2.raw string
Edit
netflow.input_snmp number
Edit
netflow.ipv4_src_addr string
Edit
geo_ip.postal_code string
I've tried deleting all of my indices and starting fresh but to no avail. My ELK stack is all the latest v2.0 stuff. Any ideas?