I upgraded my cluster to 8.2 last week, and started migrating over to data streams for filebeat, metricbeat, and logstash. For the most part this went okay, with the exception of geo_points.
Initially, the geo object was added for some reason, so I updated the index template to account for that.
Running into an issue where the data stream, even though mapped as a geo_point from a logstash instance, is picked up as a keyword, and therefore does not allow mapping. In conclusion, logstash instructs it to be a geo_point, and the index template for the stream is mapped as a geo_point, but that's not what is getting indexed.
@JSkier could you confirm the actual mapping of your data stream contains the correct geo_point field ? I'm not very familiar with data streams details but we have a tutorial that uses them
Maybe you could take a look in case you notice any difference with your setup? Sorry for not being much specific right now but maybe this helps to unlock the issue.
Looks promising, I will check tomorrow and see if the config change will work.
Looking at data streams some more, it would appear that mapping syntax may be slightly different, which may be contributing to my issues. If the first problem doesn't resolve this, I will dig in some more to the syntax of the mapped fields some more.
The geoip plugin still works with ecs compat disabled, however now the coordinate field just isn't there in new data. So, fields like Region and Continent still work, sans the coordinate field now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
and in particular the solution comment in case you are hitting the same issue