Elastic Search GeoIp location not of type geo_point

Question

I'm running ElasticSearch, Logstash and Kibana using Docker Compose based on the solution: https://github.com/deviantony/docker-elk.

I'm following this tutorial trying to add geoip information when processing my web logs: https://www.elastic.co/blog/geoip-in-the-elastic-stack.

In logstash I'm processing files from FileBeat and I've added geoip to my filter:

filter {
    ...

    geoip {
      source => "client_ip"
    }
}

When I view the documents in Kibana they do contain additional information like geoip.country_name, geoip.city_name etc. but I expect the geoip.location field being of type geo_point in my index.

Here is an example of how some of the geoip fields are mapped:

Instead of geo_point I see location.lat and location.lon. Why are my location not of type geo_point? Do I need some kind of mapping etc.?

Both ingest-common, ingest-geoip, ingest-user-agent and x-pack are loaded when ElasticSearch starts up. I've refreshed the field list for my index in Kibana.

EDIT1:

Based on answer from @Val I'm trying to change the mapping of my index:

PUT iis-log-*/_mapping/log
{
  "properties": {
    "geoip": {
      "dynamic": true,
      "properties": {
        "ip": {
          "type": "ip"
        },
        "location": {
          "type": "geo_point"
        },
        "latitude": {
          "type": "half_float"
        },
        "longitude": {
          "type": "half_float"
        }
      }
    }
  }
}

But that gives me this error:

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "mapper [geoip.ip] of different type, current_type [text], merged_type [ip]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "mapper [geoip.ip] of different type, current_type [text], merged_type [ip]"
  },
  "status": 400
}

Val Val · Accepted Answer · 2017-11-06T05:14:10

In the article you referred to, they do explain that you need to put a specific mapping for the geo_point field in the "Mapping, for Maps" section.

If you're using the default index names (i.e. logstash-*) and the default mapping type (i.e. log), then the mapping is taken care of for you by Logstash. But if not, you need to install it yourself using:

PUT your_index
{
  "mappings" : {
    "_default_" : {
      "_all" : {"enabled" : true, "norms" : false},
      "dynamic_templates" : [ {
        "message_field" : {
          "path_match" : "message",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text",
            "norms" : false
          }
        }
      }, {
        "string_fields" : {
          "match" : "*",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text", "norms" : false,
            "fields" : {
              "keyword" : { "type": "keyword", "ignore_above": 256 }
            }
          }
        }
      } ],
      "properties" : {
        "@timestamp": { "type": "date", "include_in_all": false },
        "@version": { "type": "keyword", "include_in_all": false },
        "geoip"  : {
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip" },
            "location" : { "type" : "geo_point" },
            "latitude" : { "type" : "half_float" },
            "longitude" : { "type" : "half_float" }
          }
        }
      }
    }
  }
}

In the above mappings, you see the geoip.location field being treated as a geo_point.

Elastic Search GeoIp location not of type geo_point

1 Answers