logstash geoip.location mapping to geo_point not working

Question 1

logstash geoip.location mapping to geo_point not working

elasticsearch geolocation logstash elastic-stack logstash-grok

red888 · Mar 13, 2017 · Viewed 8.4k times · Source

Answer

Answer

https://discuss.elastic.co/t/geoip-location-not-getting-mapped-to-a-geo-point-type/78625

Issue was my ignorance of how index mapping works. This default mapping is being applied to indices matching the name "logstash-*" and my index name did not match that.

Changing my index name to logstash-myindex worked.

Question 2

I can see in my default mappings geoip.location is mapped to geo_point type:

GET myserver:9200/_template
    {
      "logstash": {
        "order": 0,
        "version": 50001,
        "template": "logstash-*",
        "settings": {
          "index": {
            "refresh_interval": "5s"
          }
        },
        "mappings": {
          "_default_": {
            "dynamic_templates": [
              {
                "message_field": {
                  "path_match": "message",
                  "mapping": {
                    "norms": false,
                    "type": "text"
                  },
                  "match_mapping_type": "string"
                }
              },
              {
                "string_fields": {
                  "mapping": {
                    "norms": false,
                    "type": "text",
                    "fields": {
                      "keyword": {
                        "type": "keyword"
                      }
                    }
                  },
                  "match_mapping_type": "string",
                  "match": "*"
                }
              }
            ],
            "_all": {
              "norms": false,
              "enabled": true
            },
            "properties": {
              "@timestamp": {
                "include_in_all": false,
                "type": "date"
              },
              "geoip": {
                "dynamic": true,
                "properties": {
                  "ip": {
                    "type": "ip"
                  },
                  "latitude": {
                    "type": "half_float"
                  },
                  "location": {
                    "type": "geo_point"
                  },
                  "longitude": {
                    "type": "half_float"
                  }
                }
              },
              "@version": {
                "include_in_all": false,
                "type": "keyword"
              }
            }
          }
        },
        "aliases": {}
      }
    }

I have this in a logstash filter to get the geoip data from one of my fields:

geoip {
  source => "myField"
  add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
  add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
}
mutate {
  convert => [ "[geoip][coordinates]", "float"]
}

But, when it gets into ES the location field is a "number"

Also if I try to use the kibana map visualization it says "No Compatible Fields"

Why isn't the default mapping working?

Edit: I also tried just geoip { source => "myfield"} because my default mapping is using location and not coordinates, but this did not work.

I also got rid of the mutate and tried this, but it doesn't work either:

geoip {
  source => "myfield"
  add_field => [ "[geoip][location]", "%{[geoip][longitude]}" ]
  add_field => [ "[geoip][location]", "%{[geoip][latitude]}"  ]
}

logstash geoip.location mapping to geo_point not working

Answer

Related questions