弹性搜索GeoIp位置不是geo_point类型

时间:2017-11-03 13:02:49

标签: elasticsearch logstash geoip

我正在使用基于解决方案的Docker Compose运行ElasticSearch,Logstash和Kibana:https://github.com/deviantony/docker-elk

我正在按照本教程尝试在处理我的网络日志时添加地理信息:https://www.elastic.co/blog/geoip-in-the-elastic-stack

在logstash中,我正在处理来自FileBeat的文件,并且我已将geoip添加到我的过滤器中:

filter {
    ...

    geoip {
      source => "client_ip"
    }
}

当我查看Kibana中的文档时,它们确实包含其他信息,例如geoip.country_namegeoip.city_name等,但我希望我的索引中geoip.location字段的类型为geo_point

以下是一些地理位置字段的映射示例: Kibana index field types

而不是geo_point我看到location.latlocation.lon。为什么我的位置不属于geo_point类型?我需要某种映射等吗?

ElasticSearch启动时会加载ingest-commoningest-geoipingest-user-agentx-pack。我已经刷新了我在Kibana的索引的字段列表。

EDIT1:

根据@Val的回答我试图改变索引的映射:

PUT iis-log-*/_mapping/log
{
  "properties": {
    "geoip": {
      "dynamic": true,
      "properties": {
        "ip": {
          "type": "ip"
        },
        "location": {
          "type": "geo_point"
        },
        "latitude": {
          "type": "half_float"
        },
        "longitude": {
          "type": "half_float"
        }
      }
    }
  }
}

但是这给了我这个错误:

{
  "error": {
    "root_cause": [
      {
        "type": "illegal_argument_exception",
        "reason": "mapper [geoip.ip] of different type, current_type [text], merged_type [ip]"
      }
    ],
    "type": "illegal_argument_exception",
    "reason": "mapper [geoip.ip] of different type, current_type [text], merged_type [ip]"
  },
  "status": 400
}

1 个答案:

答案 0 :(得分:1)

在您提到的article中,他们确实解释说您需要在"映射,地图和#34;中为geo_point字段设置特定的映射。部分。

如果您使用默认索引名称(即logstash-*)和默认映射类型(即log),则Logstash会为您完成映射。但如果没有,您需要自己安装:

PUT your_index
{
  "mappings" : {
    "_default_" : {
      "_all" : {"enabled" : true, "norms" : false},
      "dynamic_templates" : [ {
        "message_field" : {
          "path_match" : "message",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text",
            "norms" : false
          }
        }
      }, {
        "string_fields" : {
          "match" : "*",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text", "norms" : false,
            "fields" : {
              "keyword" : { "type": "keyword", "ignore_above": 256 }
            }
          }
        }
      } ],
      "properties" : {
        "@timestamp": { "type": "date", "include_in_all": false },
        "@version": { "type": "keyword", "include_in_all": false },
        "geoip"  : {
          "dynamic": true,
          "properties" : {
            "ip": { "type": "ip" },
            "location" : { "type" : "geo_point" },
            "latitude" : { "type" : "half_float" },
            "longitude" : { "type" : "half_float" }
          }
        }
      }
    }
  }
}

在上面的映射中,您会看到geoip.location字段被视为geo_point

相关问题
最新问题