Search code examples
elasticsearchkibanageoipelastic-stacklogstash-configuration

ELK - Kibana doesn't recognize geo_point field

I'm trying to create a Tile map on Kibana, with GEO location points. For some reason, When I'm trying to create the map, I get the following message on Kibana:

No Compatible Fields: The "logs" index pattern does not contain any of the following field types: geo_point

My settings:
Logstash (version 2.3.1):

filter {
    grok {
        match => { 
            "message" => "MY PATTERN"
        }
    }

    geoip {
        source => "ip"
        target => "geoip"
        add_field => [ "location", "%{[geoip][latitude]}, %{[geoip][longitude]}" ] #added this extra field in case the nested field is the problem
    }
}
output {
    stdout { codec => rubydebug }
    elasticsearch { 
        hosts => ["localhost:9200"]
        index => "logs"
    }
}

When log input arrives, I can see it parse it as should and I do get the geoIp data for a given IP:

"geoip" => {
           "ip" => "XXX.XXX.XXX.XXX",
           "country_code2" => "XX",
           "country_code3" => "XXX",
            "country_name" => "XXXXXX",
          "continent_code" => "XX",
             "region_name" => "XX",
               "city_name" => "XXXXX",
                "latitude" => XX.0667,
               "longitude" => XX.766699999999986,
                "timezone" => "XXXXXX",
        "real_region_name" => "XXXXXX",
                "location" => [
            [0] XX.766699999999986,
            [1] XX.0667
        ]
    },
    "location" => "XX.0667, XX.766699999999986"

ElasticSearch (version 2.3.1):
GET /logs/_mapping returns:

{
   "logs": {
      "mappings": {
         "logs": {
            "properties": {
               "@timestamp": {
                  "type": "date",
                  "format": "strict_date_optional_time||epoch_millis"
               },
               .
               .
               .
               "geoip": {
                  "properties": {
                     .
                     .
                     .
                     "latitude": {
                        "type": "double"
                     },
                     "location": {
                        "type": "geo_point"
                     },
                     "longitude": {
                        "type": "double"
                     }
                  }
              },
              "location": {
                  "type": "geo_point"
               }
            }
         }
      }
   }
}

Kibana (version 4.5.0):
I do see all the data and everything seems to be fine. Just when I go to "Visualize" -> "Tile map" -> "From a new search" -> "Geo Coordinates", I get this error message:

 No Compatible Fields: The "logs" index pattern does not contain any of the following field types: geo_point

Even tho I see in elasticsearch mapping that the location type is geo_point. What am I missing?

Solution

  • Found the issue! I called the index "logs". changed the index name to "logstash-logs" (need logstash-* prefix) and everything started to function!