Unable to use coordinates map

OK....I am just repeating what you said.....I will run the code
PUT _template/logstash_template
{
"index_patterns": ["logstash_test"],
"settings": {
}
}
then I will create index naming as "logstash_test".

You need the mappings part in the template.

PUT _template/logstash_template
{
"index_patterns": ["logstash_test"],
"settings": {
"number_of_shards": 1
},
"mappings": {
"doc": {
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}
can i change the number of shards???

Yes.

Thanks

Even though I did deleted the previous index and created a new one still I am getting the same error
Let me repeat what I did:

  1. Deleted the index
  2. Run the script in dev tools
  3. Created the index with same name
    Still the error is there

Please show us the exact steps you did so we can recreate it and-or spot any errors.

1 Like

how can i show???shall I paste the grok? shall i paste the indices created?? Please Tell me

Show us how you add the template through dev tools. Then copy a sample document and index it into a new index that matches the template using dev tools. Then show us the result.

1 Like

okay

This is how I add template
PUT _template/logstash_template
{
"index_patterns": ["logstash_apchelogs"],
"settings": {
"number_of_shards": 5
},
"mappings": {
"doc": {
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}
Sample document
192.168.200.122 - - [16/Apr/2019:08:53:53 +0530] "GET / HTTP/1.1" 200 82179 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

Now I can the template through dev tools..but how will I copy sample document and index it into a new index that matches the template using dev tools

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

This is the icon to use if you are not using markdown format:

image

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

Could you provide a full recreation script as described in About the Elasticsearch category. It will help to better understand what you are doing. Please, try to keep the example as simple as possible.

A full reproduction script will help readers to understand, reproduce and if needed fix your problem. It will also most likely help to get a faster answer.

Here you are pasting a line of logs, not a JSON document that someone can index to check your template.

Also note logstash_apchelogs sounds may be a bad index name. May be it does not match your actual index name.

Sure I will

This is how I add template
PUT _template/logstash_template
{
"index_patterns": ["logstash_apchelogs"],
"settings": {
"number_of_shards": 5
},
"mappings": {
"doc": {
"properties": {
"location": {
"type": "geo_point"
}
}
}
}
}
Sample document:
192.168.200.122 - - [16/Apr/2019:08:53:53 +0530] "GET / HTTP/1.1" 200 82179 "-" "Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko"

Now I can create the template through dev tools..but how will I copy sample document and index it into a new index that matches the template using dev tools

I am pretty sure to put the correct name..the JSON format is as follows.But I don't Understand shall I paste all the contents or something specific...still I am pasting all the contents. If you anything specific among that please let me know
{
"_index": "logstash_apchelogs",
"_type": "doc",
"_id": "TbI9WGoB0ZVE1U9zAm2x",
"_version": 1,
"_score": null,
"_source": {
"geoip": {
"country_code2": "US",
"continent_code": "NA",
"location": {
"lon": -88.2049,
"lat": 41.8251
},
"city_name": "Warrenville",
"region_code": "IL",
"country_code3": "US",
"timezone": "America/Chicago",
"country_name": "United States",
"latitude": 41.8251,
"ip": "131.225.23.167",
"postal_code": "60555",
"longitude": -88.2049,
"dma_code": 602,
"region_name": "Illinois"
},
"verb": "GET",
"auth": "-",
"referrer": ""http://www.rrcat.gov.in/"",
"clientip": "131.225.23.167",
"@version": "1",
"host": "traineeserver",
"message": "131.225.23.167 - - [22/Apr/2019:03:36:29 +0530] "GET /images/gandhi-150.png HTTP/1.1" 304 - "http://www.rrcat.gov.in/" "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko"",
"ident": "-",
"@timestamp": "2019-04-26T06:02:34.100Z",
"timestamp": "22/Apr/2019:03:36:29 +0530",
"httpversion": "1.1",
"path": "/elk/Weblog/access_log_web1-20190422",
"response": "304",
"request": "/images/gandhi-150.png",
"agent": ""Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko""
},
"fields": {
"@timestamp": [
"2019-04-26T06:02:34.100Z"
]
},
"sort": [
1556258554100
]
}

The template specifies the geo point field to be location at the base of the document but the document you showed us stored the geo point in geoip.location instead, which does not match the mapping. Either correct the mapping or the documents so they match.

1 Like

How can I correct it???

Please format your code, logs or configuration files.

I guess you meant to say :
PUT _template/logstash_template
{
"index_patterns": ["logstash_apchelogs"],
"settings": {
"number_of_shards": 5
},
"mappings": {
"doc": {
"properties": {
"geoip.ip": {
"type": "geo_point"
}
}
}
}
}
I should change something like this????

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.