Elasticsearch geoip.location mapped to double and not geo_point

0
votes

I am running Elasticsearch version 1.5.2. Logstash version 1.5.4.

Most of the logstash settings are default:

geoip {
      source => "ipaddress"
}


output {
  elasticsearch { 
      host => "127.0.0.1"
      port => 9200
      protocol => http
      user => searchguard
      password => somepassword
  }

In Kibana, when I try to setup tile map, I see this error:

"No Compatible Fields: The "[logstash-]YYYY.MM.DD" index pattern does not contain any of the following field types: geo_point"

I checked the mapping "http://localhost:9200/logstash-2015.09.15?pretty" and geoip.location is mapped as double and not geo_point.

Any suggestions how to map this correctly?

More info:

curl -XGET localhost:9200/logstash-2015.09.15/_mapping

{
  "logstash-2015.09.15": {
    "mappings": {
      "logs": {
        "properties": {
          "@timestamp": {
            "type": "date",
            "format": "dateOptionalTime"
          },
          "@version": {
            "type": "string"
          },
          "csbytes": {
            "type": "long"
          },
          "geoip": {
            "properties": {
              "area_code": {
                "type": "long"
              },
              "city_name": {
                "type": "string"
              },
              "continent_code": {
                "type": "string"
              },
              "country_code2": {
                "type": "string"
              },
              "country_code3": {
                "type": "string"
              },
              "country_name": {
                "type": "string"
              },
              "dma_code": {
                "type": "long"
              },
              "ip": {
                "type": "string"
              },
              "latitude": {
                "type": "double"
              },
              "location": {
                "type": "double"
              },
              "longitude": {
                "type": "double"
              },
              "postal_code": {
                "type": "string"
              },
              "real_region_name": {
                "type": "string"
              },
              "region_name": {
                "type": "string"
              },
              "timezone": {
                "type": "string"
              }
            }
          },
          "ipaddress": {
            "type": "string"
          },
          "log_timestamp": {
            "type": "string"
          },
          "message": {
            "type": "string"
          },
          "method": {
            "type": "string"
          },
          "referer": {
            "type": "string"
          },
          "scbytes": {
            "type": "long"
          },
          "scstatus": {
            "type": "long"
          },
          "tags": {
            "type": "string"
          },
          "timetaken": {
            "type": "long"
          },
          "useragent": {
            "type": "string"
          },
          "username": {
            "type": "string"
          }
        }
      }
    }
  }
}

curl -XGET localhost:9200/_template/logstash

This is empty {}

I am using the defaults. I have not edited the default template.

1
elasticsearchlogstashgeoiplogstash-grok
Can you update your question with the output of curl -XGET localhost:9200/logstash-2015.09.15/_mapping and the output of curl -XGET localhost:9200/_template/logstash?Val
Anwer's probably clear. If there's no predefined mapping for geoip, Elasticsearch will always index it as an array of doubles. You need to specify this in your template. It also applies for data types such as IP.Evaldas Buinauskas
updated with the output.Dhrumil

1 Answers

1
votes

Take a look at this geo-point data type. Mapping for geo_point can be set up only manually (if i am not mistaken)