Unsupported symbol [-] in geohash

Aniket_Pant · March 27, 2021, 6:02pm

I am facing some issue while defining mapping for an index

[2021-03-27T23:27:36,733][WARN ][logstash.outputs.elasticsearch][packetbeat][7bb6e349f13f74fc053ef83bdac5d84b4de038193ed7d008068e4432f88bd27d] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"log-pb-flow-2021.03.27", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x1b2d34b5>], :response=>{"index"=>{"_index"=>"log-pb-flow-2021.03.27", "_type"=>"_doc", "_id"=>"XzTVdHgBRP-3kKikkO1x", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [destination.location] of type [geo_point]", "caused_by"=>{"type"=>"parse_exception", "reason"=>"unsupported symbol [-] in geohash [-93.6112]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"unsupported symbol [-] in geohash [-93.6112]"}}}}}}

logstash pipeline file

input {
  beats {
    port => 5044
  }
}

filter {
  if [agent][type]=="packetbeat" {
        geoip {
        add_tag => [ "GeoIP" ]
        source => "[destination][ip]"
        add_field => [ "[destination][location]", "%{[geoip][longitude]}" ]
        add_field => [ "[destination][location]", "%{[geoip][latitude]}" ]
        #database => "/usr/share/logstash/GeoLite2-City.mmdb"
 }
}
}
output
{
if [agent][type]=="packetbeat" {
if[type]=="flow"
   {
    elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "log-pb-flow-%{+YYYY.MM.dd}"
  }
  }
}
}

My index template

PUT /_template/packetbeat_flow
{
  "index_patterns": ["log-pb-flow-*"],
  "settings": {
    "number_of_replicas": 0
  },
  "mappings" : {
 "properties": {
      "client.ip":{"type": "ip",
        "fields": {
         "keyword":{"type":"keyword"}
       }
      },
      "host.ip":{"type": "ip",
        "fields": {
         "keyword":{"type":"keyword"}
       }
      },
      "server.ip":{"type": "ip",
      "fields": {
         "keyword":{"type":"keyword"}
       }},
      "source.ip":{"type": "ip",
       "fields": {
         "keyword":{"type":"keyword"}
       }
      },
"destination.ip" : { "type": "ip"
},
"destination.location" : {"type": "geo_point"},
"geoip" : {
  "dynamic": true,
"properties" : 
{
"ip":{"type":"ip"},
          "latitude":{"type":"half_float",
          "fields":{
              "lat":{"type":"half_float"}
            
          }
          },
          "longitude":{"type":"half_float",
               "fields":{
              "lat":{"type":"half_float"}
            
          }
            },
          "location":{"type":"geo_point"}
}
}
}  
}
}

i dont know where i am doing wrong

Badger · March 27, 2021, 6:27pm

Did you mean

add_field => {
    "[destination][location][lon]" => "%{[geoip][longitude]}"
    "[destination][location][lat]" => "%{[geoip][latitude]}"
}

My guess is that the error message indicates elasticsearch is trying to interpret -93.6112 as a latitude, which cannot be negative.

Aniket_Pant · March 28, 2021, 3:06am

""}}}}}}
[2021-03-28T08:34:18,825][WARN ][logstash.outputs.elasticsearch][packetbeat][d43bdd2a9866aef5e63d1cc59ff1045af8b205b2c9c4fb1919aec905c59aa659] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"log-pb-flow-2021.03.28", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x7844ad5e>], :response=>{"index"=>{"_index"=>"log-pb-flow-2021.03.28", "_type"=>"_doc", "_id"=>"dzfKdngBRP-3kKikFUtZ", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [destination.location] of type [geo_point]", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [destination.location.lon] of type [half_float] in document with id 'dzfKdngBRP-3kKikFUtZ'. Preview of field's value: 'null'", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: \"9ydqy025w0qn\""}}}}}}

i made the changes in pipeline file

filter {
  if [agent][type]=="packetbeat" {
        geoip {
        add_tag => [ "GeoIP" ]
        source => "[destination][ip]"
        add_field => [ "[destination][location][lon]", "%{[geoip][longitude]}" ]
        add_field => [ "[destination][location][lat]", "%{[geoip][latitude]}" ]
        database => "/usr/share/logstash/GeoLite2-City.mmdb"
 }
}
}

and in template too

"destination":
{
  "dynamic":true,
  "properties": {
    "ip":{"type":"ip"},
    "location":{"type":"geo_point",
      "fields":{"lat":{"type":"half_float"},
        "lon":{"type":"half_float"}
      }
    }
    
  }
},
"geoip" : {
  "dynamic": true,
"properties" : 
{
"ip":{"type":"ip"},
          "latitude":{"type":"half_float",
          "fields":{
              "lat":{"type":"half_float"}
            
          }
          },
          "longitude":{"type":"half_float",
               "fields":{
              "lat":{"type":"half_float"}
            
          }
            },
          "location":{"type":"geo_point"}

system · April 25, 2021, 3:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.