I know I'm missing something simple, I have an index built from my firewall log events and in Kibana/Discover I have a SourceIPGeo.location.lat and SourceIPGeo.location.lon but when I try to make a map visualization I get the dreaded no geo_point found in index. Would SourceIPGeo.location be the geo_point? In my index management screen I see the two lat and lon fields listed as numbers but no entry for the SourceIPGeo.location field, it's like that field isn't being treated as a field.
I'd suggest you have a look at https://www.elastic.co/blog/geoip-in-the-elastic-stack (shameless plug) as it's got a few approaches to solving this.
But you need a single point that has been appropriately mapped, and it looks like you have two individual fields.
I have eight fields 
DestinationIPGeo.longitude, DestinationIPGeo.latitude, Destination.IPGeo.location.lon, DestinationIPGeo.location.lat and the SourceIPGeo set. In my logstash I'm using geoip to populate the fields and in my template mapping I've got the DestinationIPGeo.location and SourceIPGeo.location mapped to type geo_point. When I pull the template from ES I don't see the correct type set for the location fields, just the two lon and lat fields set to float. According to the geoip page I need to modify the output template so ES will treat DestinationIPGeo.location as a geo_point. Hopefully that will fix this.
Is there something I can do with scripted fields to build a geo_point for all the indexes I've already injested?
Unfortunately not.
The right answer here was to create a mapping template to set the correct field types when the index is created.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.