I have rewritten the template and filter descriptions.
Is this what you intend?
# vi /etc/logstash/logstash-its.conf
... snip ...
filter {
grok {
match => {
"message" => '%{IP:[nginx][access][remote_ip_list]}\s%{DATA:[nginx][access][user_name]}\s%{DATA:[nginx][access][user]}\s\[%{HTTPDATE:[nginx][access][timestamp]}\]\s\"%{WORD:[nginx][access][method]}\s%{DATA:[nginx][access][url]}\sHTTP/%{DATA:[nginx][access][http_version]}\"\s%{NUMBER:[nginx][access][response_code]}\s%{NUMBER:[nginx][access][body_sent][bytes]:int}\s\"%{DATA:[nginx][access][referrer]}\"\s\"%{DATA:[nginx][access][agent]}"'
}
}
useragent {
source => "[nginx][access][agent]"
target => "[nginx][access][useragent]"
}
geoip {
source => "[nginx][access][remote_ip_list]"
}
}
... snip ...
# curl -X GET "localhost:9200/_index_template/geo_index_template?pretty"
{
"index_templates" : [
{
"name" : "geo_index_template",
"index_template" : {
"index_patterns" : [
"*-www-access-*",
"*-nginx-access-*"
],
"template" : {
"settings" : {
"index" : {
"number_of_shards" : "1",
"number_of_replicas" : "0"
}
},
"mappings" : {
"properties" : {
"geoip" : {
"properties" : {
"location" : {
"type" : "geo_point"
}
}
}
}
}
},
"composed_of" : [ ]
}
}
]
}
However, it is not currently working well.
This is because we are not re-creating the index.
Stopping or deleting indexes is not casually possible at present.
There are people who refer to these.
I create each index daily in the format ****-%{+YYYY.MM.dd}.
Would this not allow me to get the location from that morning as the new index is created the next day?
Soon a new index with a new date will be created.
Hope that works, but I am a little skeptical. Because I was not able to get location well in this morning's index.
I will let you know the result of this tomorrow.