kibana geo_point How to Part 4

1. Change logstash add fields or grok some fields. Kibana DISCOVER Table can see new fields & !

2. Kibana Management -> Index Patterns can "Fefresh field list"   ! will be disappear.

3. Logstash set some fields Type "geo_point". see Kibana DISCOVER Table field Type still "TEXT". Try to delete index.

GET _cat/indices?v
GET _cat/indices?v&s=index

GET filebeat-6.5.1-2018.12.06

DELETE filebeat-6.5.1-2018.12.06

After DELETE index (real index), index rebuiled. Geo_point usually can see.


4. Every things sure is ok, export index-pattern.json
https://sueboy.blogspot.com/2018/11/kibana-default-index-pattern.html

==========
Mutil geo_ip

logstash

  geoip {
    source => "filebeatserverip"
    target => "filebeatserveripgeoip"
    add_field => [ "[filebeatserveripgeoip][coordinates]", "%{[filebeatserveripgeoip][longitude]}" ]
    add_field => [ "[filebeatserveripgeoip][coordinates]", "%{[filebeatserveripgeoip][latitude]}" ]
  }

  mutate {
    convert => ["[filebeatserveripgeoip][coordinates]", "float"]
  }

filebeatserverip：filebeat server ip

/etc/filebeat.yml

- type: log
  paths:
    - /var/log/*.log
  exclude_files: ['.gz$']
  tags: ["xxx.xxx.xxx.xxx"]
  fields:
    filebeatserverip: "xxx.xxx.xxx.xxx"
  fields_under_root: true

xxx.xxx.xxx.xxx put server ip, then logstash can get "filebeatserverip" field


filebeatserveripgeoip： usually demo is geoip. Some log have src_ip dest_ip client_ip...etc


template_filebeat (template_filebeat.json)

{
  "index_patterns": ["filebeat*", "heartbeat*"],
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "doc": {
      "properties": {
        "geoip.location": {
          "type": "geo_point"
        },
        "geoip.coordinates": {
          "type": "geo_point"
        },
        "filebeatserveripgeoip.coordinates": {
          "type": "geo_point"
        }
      }
    }
  }
  
}

send template_filebeat.json to elasticseart

curl -v -XPUT elasticsearch:9200/_template/template_filebeat -H 'Content-Type: application/json' -d @/usr/share/config/template_filebeat.json

Then

GET _cat/indices?v

GET filebeat-6.5.1-2018.12.06

DELETE filebeat-6.5.1-2018.12.06

GET _cat/indices?v

GET filebeat-6.5.1-2018.12.06


If index rebuild, Kibana DISCOVER table will be see.