Can't Filter by geoip.location
up vote
0
down vote
favorite
Using ELk 6.X It seems i cannot plot points due to geoip.location not populated?
I also added a template which i hope is correct. Not an expert but i am pretty sure my points aren't rendered bc its missing data there.
Kibana 6.4.2
Logstash 6.4.2-1
Elasticsearch 6.4.2
Following configs
input
udp
port => 9996
codec => netflow
versions => [5, 7, 9, 10]
type => netflow
filter
geoip
source => "[netflow][ipv4_src_addr]"
target => "src_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
geoip
source => "[netflow][ipv4_dst_addr]"
target => "dst_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
output
output
if [type] == "netflow"
elasticsearch
hosts => ["localhost:9200"]
index => "logstash-%+YYYY.MM.dd"
else
elasticsearch
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%[@metadata][beat]-%+YYYY.MM.dd"
document_type => "%[@metadata][type]"
The Mapping is like such
"geoip":
"dynamic": "true",
"properties":
"ip":
"type": "ip"
,
"latitude":
"type": "half_float"
,
"location":
"type": "geo_point"
,
"longitude":
"type": "half_float"
,
Template
"logstash":
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
"settings":
"index":
"refresh_interval": "5s"
,
"mappings":
"_default_":
"dynamic_templates": [
"message_field":
"path_match": "message",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false
,
"string_fields":
"match": "*",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false,
"fields":
"keyword":
"type": "keyword",
"ignore_above": 256
],
"properties":
"@timestamp":
"type": "date"
,
"@version":
"type": "keyword"
,
"geoip":
"dynamic": true,
"properties":
"ip":
"type": "ip"
,
"location":
"type": "geo_point"
,
"latitude":
"type": "half_float"
,
"longitude":
"type": "half_float"
,
"aliases":
My indexes come back with
src or dst but only the below
# dst_geoip.latitude 26.097
# dst_geoip.location.lat 26.097
# dst_geoip.location.lon -80.181
elasticsearch logstash kibana asked Nov 9 at 18:06
Luis
1216
add a comment |
up vote
0
down vote
favorite
Using ELk 6.X It seems i cannot plot points due to geoip.location not populated?
I also added a template which i hope is correct. Not an expert but i am pretty sure my points aren't rendered bc its missing data there.
Kibana 6.4.2
Logstash 6.4.2-1
Elasticsearch 6.4.2
Following configs
input
udp
port => 9996
codec => netflow
versions => [5, 7, 9, 10]
type => netflow
filter
geoip
source => "[netflow][ipv4_src_addr]"
target => "src_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
geoip
source => "[netflow][ipv4_dst_addr]"
target => "dst_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
output
output
if [type] == "netflow"
elasticsearch
hosts => ["localhost:9200"]
index => "logstash-%+YYYY.MM.dd"
else
elasticsearch
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%[@metadata][beat]-%+YYYY.MM.dd"
document_type => "%[@metadata][type]"
The Mapping is like such
"geoip":
"dynamic": "true",
"properties":
"ip":
"type": "ip"
,
"latitude":
"type": "half_float"
,
"location":
"type": "geo_point"
,
"longitude":
"type": "half_float"
,
Template
"logstash":
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
"settings":
"index":
"refresh_interval": "5s"
,
"mappings":
"_default_":
"dynamic_templates": [
"message_field":
"path_match": "message",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false
,
"string_fields":
"match": "*",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false,
"fields":
"keyword":
"type": "keyword",
"ignore_above": 256
],
"properties":
"@timestamp":
"type": "date"
,
"@version":
"type": "keyword"
,
"geoip":
"dynamic": true,
"properties":
"ip":
"type": "ip"
,
"location":
"type": "geo_point"
,
"latitude":
"type": "half_float"
,
"longitude":
"type": "half_float"
,
"aliases":
My indexes come back with
src or dst but only the below
# dst_geoip.latitude 26.097
# dst_geoip.location.lat 26.097
# dst_geoip.location.lon -80.181
asked Nov 9 at 18:06
Luis
1216
Forget the template, I noticed it wasnt being used but once i added it to the config to use it went from 140 fields to 47 fields which is worse then before
– Luis
Nov 9 at 18:32
Anyone? Still not able to location point
– Luis
Nov 12 at 21:08
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Using ELk 6.X It seems i cannot plot points due to geoip.location not populated?
I also added a template which i hope is correct. Not an expert but i am pretty sure my points aren't rendered bc its missing data there.
Kibana 6.4.2
Logstash 6.4.2-1
Elasticsearch 6.4.2
Following configs
input
udp
port => 9996
codec => netflow
versions => [5, 7, 9, 10]
type => netflow
filter
geoip
source => "[netflow][ipv4_src_addr]"
target => "src_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
geoip
source => "[netflow][ipv4_dst_addr]"
target => "dst_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
output
output
if [type] == "netflow"
elasticsearch
hosts => ["localhost:9200"]
index => "logstash-%+YYYY.MM.dd"
else
elasticsearch
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%[@metadata][beat]-%+YYYY.MM.dd"
document_type => "%[@metadata][type]"
The Mapping is like such
"geoip":
"dynamic": "true",
"properties":
"ip":
"type": "ip"
,
"latitude":
"type": "half_float"
,
"location":
"type": "geo_point"
,
"longitude":
"type": "half_float"
,
Template
"logstash":
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
"settings":
"index":
"refresh_interval": "5s"
,
"mappings":
"_default_":
"dynamic_templates": [
"message_field":
"path_match": "message",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false
,
"string_fields":
"match": "*",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false,
"fields":
"keyword":
"type": "keyword",
"ignore_above": 256
],
"properties":
"@timestamp":
"type": "date"
,
"@version":
"type": "keyword"
,
"geoip":
"dynamic": true,
"properties":
"ip":
"type": "ip"
,
"location":
"type": "geo_point"
,
"latitude":
"type": "half_float"
,
"longitude":
"type": "half_float"
,
"aliases":
My indexes come back with
src or dst but only the below
# dst_geoip.latitude 26.097
# dst_geoip.location.lat 26.097
# dst_geoip.location.lon -80.181
asked Nov 9 at 18:06
Luis
1216
Using ELk 6.X It seems i cannot plot points due to geoip.location not populated?
I also added a template which i hope is correct. Not an expert but i am pretty sure my points aren't rendered bc its missing data there.
Kibana 6.4.2
Logstash 6.4.2-1
Elasticsearch 6.4.2
Following configs
input
udp
port => 9996
codec => netflow
versions => [5, 7, 9, 10]
type => netflow
filter
geoip
source => "[netflow][ipv4_src_addr]"
target => "src_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
geoip
source => "[netflow][ipv4_dst_addr]"
target => "dst_geoip"
database => "/usr/share/GeoIP/GeoLite2-City.mmdb"
output
output
if [type] == "netflow"
elasticsearch
hosts => ["localhost:9200"]
index => "logstash-%+YYYY.MM.dd"
else
elasticsearch
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%[@metadata][beat]-%+YYYY.MM.dd"
document_type => "%[@metadata][type]"
The Mapping is like such
"geoip":
"dynamic": "true",
"properties":
"ip":
"type": "ip"
,
"latitude":
"type": "half_float"
,
"location":
"type": "geo_point"
,
"longitude":
"type": "half_float"
,
Template
"logstash":
"order": 0,
"version": 60001,
"index_patterns": [
"logstash-*"
],
"settings":
"index":
"refresh_interval": "5s"
,
"mappings":
"_default_":
"dynamic_templates": [
"message_field":
"path_match": "message",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false
,
"string_fields":
"match": "*",
"match_mapping_type": "string",
"mapping":
"type": "text",
"norms": false,
"fields":
"keyword":
"type": "keyword",
"ignore_above": 256
],
"properties":
"@timestamp":
"type": "date"
,
"@version":
"type": "keyword"
,
"geoip":
"dynamic": true,
"properties":
"ip":
"type": "ip"
,
"location":
"type": "geo_point"
,
"latitude":
"type": "half_float"
,
"longitude":
"type": "half_float"
,
"aliases":
My indexes come back with
src or dst but only the below
# dst_geoip.latitude 26.097
# dst_geoip.location.lat 26.097
# dst_geoip.location.lon -80.181
asked Nov 9 at 18:06
Luis
1216
asked Nov 9 at 18:06
Luis
1216
edited Nov 9 at 18:14
asked Nov 9 at 18:06
Luis
1216
asked Nov 9 at 18:06
Luis
1216
asked Nov 9 at 18:06
Luis
1216
1216
Forget the template, I noticed it wasnt being used but once i added it to the config to use it went from 140 fields to 47 fields which is worse then before
– Luis
Nov 9 at 18:32
Anyone? Still not able to location point
– Luis
Nov 12 at 21:08
add a comment |
Forget the template, I noticed it wasnt being used but once i added it to the config to use it went from 140 fields to 47 fields which is worse then before
– Luis
Nov 9 at 18:32
Anyone? Still not able to location point
– Luis
Nov 12 at 21:08
Forget the template, I noticed it wasnt being used but once i added it to the config to use it went from 140 fields to 47 fields which is worse then before
– Luis
Nov 9 at 18:32
Forget the template, I noticed it wasnt being used but once i added it to the config to use it went from 140 fields to 47 fields which is worse then before
– Luis
Nov 9 at 18:32
Anyone? Still not able to location point
– Luis
Nov 12 at 21:08
Anyone? Still not able to location point
– Luis
Nov 12 at 21:08
add a comment |
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53231167%2fcant-filter-by-geoip-location%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53231167%2fcant-filter-by-geoip-location%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Forget the template, I noticed it wasnt being used but once i added it to the config to use it went from 140 fields to 47 fields which is worse then before
– Luis
Nov 9 at 18:32
Anyone? Still not able to location point
– Luis
Nov 12 at 21:08