Unable to create Region Map Visualization

APJ · July 12, 2018, 6:34pm

Hi all,

I am trying to create a Region Map visualization on Kibana using the IP addresses present in the log. I downloaded a sample of apache access log from the following link Apache access log

I was able to successfully ingest the file's log data into Logstash and parse the log data into Elasticsearch. These are the fields in the index pattern created.

The json response of the same looks like this after executing the query GET logstash-2018.07.07/_mapping

{
  "logstash-2018.07.07": {
    "mappings": {
      "doc": {
        "dynamic_templates": [
          {
            "message_field": {
              "path_match": "message",
              "match_mapping_type": "string",
              "mapping": {
                "norms": false,
                "type": "text"
              }
            }
          },
          {
            "string_fields": {
              "match": "*",
              "match_mapping_type": "string",
              "mapping": {
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                },
                "norms": false,
                "type": "text"
              }
            }
          }
        ],
        "properties": {
          "@timestamp": {
            "type": "date"
          },
          "@version": {
            "type": "keyword"
          },
          "geoip": {
            "dynamic": "true",
            "properties": {
              "ip": {
                "type": "ip"
              },
              "latitude": {
                "type": "half_float"
              },
              "location": {
                "type": "geo_point"
              },
              "longitude": {
                "type": "half_float"
              }
            }
          },
          "host": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "message": {
            "type": "text",
            "norms": false
          },
          "path": {
            "type": "text",
            "norms": false,
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      },
      "_default_": {
        "dynamic_templates": [
          {
            "message_field": {
              "path_match": "message",
              "match_mapping_type": "string",
              "mapping": {
                "norms": false,
                "type": "text"
              }
            }
          },
          {
            "string_fields": {
              "match": "*",
              "match_mapping_type": "string",
              "mapping": {
                "fields": {
                  "keyword": {
                    "ignore_above": 256,
                    "type": "keyword"
                  }
                },
                "norms": false,
                "type": "text"
              }
            }
          }
        ],
        "properties": {
          "@timestamp": {
            "type": "date"
          },
          "@version": {
            "type": "keyword"
          },
          "geoip": {
            "dynamic": "true",
            "properties": {
              "ip": {
                "type": "ip"
              },
              "latitude": {
                "type": "half_float"
              },
              "location": {
                "type": "geo_point"
              },
              "longitude": {
                "type": "half_float"
              }
            }
          }
        }
      }
    }
  }
}

I want to create a Region Map using the IP addresses to show the corresponding locations on the map. I tried doing, but I am unable to create any visualization. It only shows a blank map.

I've been trying very hard to create a map visualization. Can someone please help me out?

warkolm · July 12, 2018, 7:36pm

Do you have the right time period selected (to right) to make sure data will be visible?

APJ · July 12, 2018, 8:59pm

Yes, I did. It is still doesn't show up. Do I have to install additional plugins or change the configuration of logstash for GeoIP?

warkolm · July 12, 2018, 9:00pm

Can you see the documents in Discover?

APJ · July 12, 2018, 10:18pm

I followed this tutorial GeoIP

However, I did not use Filebeat as I am directly ingesting apache files into logstash. Is the below configuration right?

input {
  file {
    path => "E:\elk\logstash\apache_logs"
    start_position => "beginning"
  }
}

filter {
  grok {
    match => { "message" => "%{COMBINEDAPACHELOG}" }
  }
  geoip {
      source => "clientip"
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
  }
}

What should my clientip be?

system · August 9, 2018, 10:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.