Visualization in Kibana not accepting a geo_point

I'm having an issue getting Kibana to generate a coordinate map using a geo_point variable that I pass in from Logstash.

I'm parsing bro logs from a syslog file. Within the filter section of my conf file, I have the following code:

if [json][id.resp_h] !~ /^10\./
{
		{
 				geoip {
					source => "[json][id.resp_h]"
					target => "[json][resp_geoip]"
				}
               }
}

To be clear, I parsed the lines of the syslog file (in the case from a Bro conn log) into an array I called 'json'. Then the array has a variety of elements, including one called 'id.resp_h', which is an IP address. I then use the geoip filter to generate a new array element called resp_geoip.

The output section of my conf file is as follows:
output
{
elasticsearch {
action => "index"
hosts => ["localhost:9200"]
index => "logstash-bro_syslog-%{+YYYY.MM.dd}"
manage_template => true
template => "C:\Bitnami\elk-6.5.4-0\logstash\bro_template.json"
template_overwrite => true
document_type => "bro_logs"
}
stdout {
}
}

As shown, I'm using a template called bro_template.json. Within that file, I specify the type as follows:

  "resp_geoip" : {
    "dynamic" : "true",
    "properties" : {
			  "timezone" : {
				"type" : "text"
			  },
			  "ip" : {
				"type" : "ip"
			  },
			  "latitude" : {
				"type" : "half_float"
			  },
			  "location" : {
				"type" : "geo_point"
			  },
			  "longitude" : {
				"type" : "half_float"
			  }
			  "continent_code" : {
				"type" : "text"
			  },
			  "city_name" : {
				"type" : "text"
			  },
			  "country_name" : {
				"type" : "text"
			  },
			  "dma_code" : {
				"type" : "integer"
			  },
			  "country_code2" : {
				"type" : "text"
			  },
			  "country_code3" : {
				"type" : "text"
			  },
			  "region_name" : {
				"type" : "text"
			  },
			  "postal_code" : {
				"type" : "text"
			  }
    }
  },

With the above configuration, all my data appears in Kibana and looks to be formatted correctly. That being the case, the variable that I want to map in Kibana shows up as 'resp_geoip.location'.

The problem is I cannot get Kibana to display anything on the coordinate map. I select Coordinate Map on the Visualization page, then select the index with which I'm working, and then get to the map setup page. Under Metrics, I select 'Count'. Under buckets, I click 'Geo Coordinates', which then asks for an Aggregation. The only option shown is Geohash (which I don't have in my data set). But under 'select field', Kibana does offer me the option of choosing my variable above - resp_geoip.location. But when I select it and then push the button to generate the map, nothing appears.

So, at this point I'm at a loss. I defined a template to cover the geo_point conversion as I've seen others suggest, and I've also confirmed that logstash's geoip filter is working as expected. But nothing I seem to do will generate the map.

Am I supposed to be creating a geohash to be used in that map? If so, is there a function available to do so? I've checked around and haven't seen anything ELK-specific. Or is the functionality I'm describing above as expected and I just have some other weird anomaly going on?

I'll note that not every data record has a resp_geoip.location value. Some are indeed blank. I've tried doing a search in the search bar to narrow down only the ones that have values, but that still hasn't solved the issue.

Thanks for your assistance in solving this frustrating issue!

Here's a brief update with some further details...

I noticed when looking at the Discover tab that all my values for resp_geoip.location are blank, which obviously seems undesirable. On the positive side, on the left-hand side, I can see the resp_geoip.location is indeed being tagged with a little globe, indicating it's a valid geo_point.

There is a bunch of data within the resp_geoip variable - for example, one entry has the value:

{"timezone":"America/Los_Angeles","ip":"13.107.3.128","latitude":47.6801,"continent_code":"NA","city_name":"Redmond","country_code2":"US","country_name":"United States","dma_code":819,"country_code3":"US","location":{"lat":47.6801,"lon":-122.1206},"region_name":"Washington","postal_code":"98052","region_code":"WA","longitude":-122.1206}

I extracted the location information and stored it in a variable called 'location_resp_geoip' in the format {"lat":47.6801,"lon":-122.1206}, but that variable was not recognized as a geo_point even though I attempted to make it so by including the following in my template:

"location_resp_geoip" : {
			"properties" : {
				"type" : "geo_point"
			}
		},

Turns out I just needed a bit more time to come to a solution on the above issue.

The issue with the above had to do with the fact I was storing the geoip variable within the array I labeled 'json'. I set the 'resp_geoip' variable again without the [json] portion and then adjusted the template file to ensure that 'resp_geoip' wasn't described within the "json" portion of that file. With those changes, the geoip functionality started working in the coordinate map.

Hopefully this may be useful to some other folks that come across similar issues.

Glad you got it working!

Just in case this provides some clarity, I wanted to mention that fields Kibana shows under the various aggregation types are controlled by the field mapping in Elasticsearch. If the field is a "geo_point" type, then it will show up in the Geohash aggregation, and if it's any other type, it will not. Since you were putting the value in an array, the types didn't match and the field did not show up.

More generally speaking, Kibana's handling of data in arrays is kind of tricky, sometimes things work, but for the most part it's best to avoid putting your data in an array if you can avoid it and just use the more primitive field types instead.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.