As nothing came on the "Tile Maps, all looking like:
I found out the mapping for the geo.location field was wrong (look here: http://stackoverflow.com/questions/29661372/tile-map-geo-location-field-not-present-under-geohash-aggregation-in-kibana-4-0)
root@elkserver1:/etc/logstash/conf.d# curl http://localhost:9200/filebeat-2016.12.28/_mapping/apache/field/geoip.location?pretty { "filebeat-2016.12.28" : { "mappings" : { "apache" : { "geoip.location" : { "full_name" : "geoip.location", "mapping" : { "location" : { "type" : "float" } } } } } } } root@elkserver1:/etc/logstash/conf.d# |
This should (according to the article not be:
"mapping" : {"location" : {"type" : "float"}} |
but
"mapping":{"location":{"type":"geo_point"}} |
This is for sure because I use "filebeat" as index for apache logs, and not "logstash" as is default (if logstash ships directly to Elasticseach). The filebeat template in /etc/filebeat/filebeat.template.json has no geo/location mappings, and I am not sure its even used; as Elasticseach just creates the index upon getting data in.. In /etc/logstash/conf.d/10-beats-input.conf I do have:
but that seems to be "not enough" - possibly because I have no output template defined in /etc/logstash/conf.d/30-elasticsearch-output.conf |
....so we need to change this:
TBD... http://www.pipebug.com/elasticsearch-logstash-kibana-4-mapping-4.html |
As a test, I changed the Logstash config, so the type=apache went into the Logstash index, and the Geomapping just worked... |