Unable to create geo points

Dhinesh_Kumar_N · April 11, 2022, 3:42pm

Hi,

 Can any one help to configure geo points for the data which I have, I'm using live data streaming(filebeat), I the logstash configuration I have added location feed,

config:
geoip {
database => "GeoIP2-City.mmdb"
source => "IP"
target => "geoip"
fields => [ "city_name", "country_name", "continent_code", "country_code2", "location", "region_name", "region_code" ]
}

but for location output, am I getting geolocation as below

"location": {
"lat": 10.8326,
"lon": 106.6581
},

and in data view it formatted as float data type and not geo_points

geoip.geo.location.lat 20.006
geoip.geo.location.lon 77.006

Badger · April 11, 2022, 6:01pm

Fact: If you set ecs_compatibility => "disabled" then the default value for target is geoip and you will get

     "srcIp" => "161.170.230.170",
     "geoip" => {
    "location" => {
        "lon" => -97.822,
        "lat" => 37.751
    }
},

When ecs compability is disabled, the default template that an Elasticsearch output may install will contain a mapping that makes that a geo_point.

Speculation: When ecs_compatibility is enabled then target is a required field unless source has one of a small set of values. As such, since it is unclear what the target of the filter is going to be, the ecs compatible templates (which I cannot find) may not have any fields be a geo_point by default.

Answer: you need to add a template or otherwise set the mapping on the index. Note that you cannot change the type of a field once created. You will need to create a new index.

Dhinesh_Kumar_N · April 12, 2022, 7:56am

Thank you, now am able to create map with the geo points, I have created new template with geo points mappings.

system · May 10, 2022, 7:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.