[Failed again!!] kibana geo_point How to

Fxxx kibana elk  Now try to do again. But can’t get geo_point….
reindex no use

No Use
POST /_refresh
POST /_flush/synced
POST /_cache/clear

Only do this can apply

Wast time Fxxx system.
………………
………………
………………
………………
………………
………………
………………
………………
………………
………………
………………
………………
………………
………………
………………

very bad document, very bad change version…………Everythings is BAD for elk kibana

1、 Every time see this “PUT GET or DELETE” command. Use  where ???
https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-get.html

Use in Kibana 

AND Question is curl 

2、Please Watch 6.5   Not old version

You maybe see many document on Internet that check version First.

3、Before geo_point

keep this command ： (or find Internet know this mean)

GET _cat/
GET _cat/indices?v
GET _cat/indices?v&s=index

GET /_settings

GET filebeat*

GET /_template

PUT _template/template_filebeat

POST _reindex

=================Begin================

Firest Must already have  default index

If want to auto, see  http://sueboy.blogspot.com/2018/11/kibana-default-index-pattern.html

Second

  
  
#!/bin/bash  
  
echo '@edge http://dl-cdn.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories  
echo '@edge http://dl-cdn.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories  
echo '@edge http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/repositories  
apk --no-cache upgrade  
apk --no-cache add curl  
  
echo "=====Elk config ========"  
until echo | nc -z -v elasticsearch 9200; do  
    echo "Waiting Elk Kibana to start..."  
    sleep 2  
done  
  
code="400"  
until [ "$code" != "400" ]; do  
    echo "=====Elk importing mappings json ======="  
    curl -v -XPUT elasticsearch:9200/_template/template_filebeat -H 'Content-Type: application/json' -d @/usr/share/elkconfig/config/template_filebeat.json 2>/dev/null | head -n 1 | cut -d ':' -f2|cut -d ',' -f1 > code.txt  
    code=`cat code.txt`  
    sleep 2  
done  
  
#reload index for geo_point  
echo "=====Get kibana idnex lists ======="  
indexlists=()  
while [ ${#indexlists[@]} -eq 0 ]  
do  
    sleep 2  
    indexlists=($(curl -s elasticsearch:9200/_aliases?pretty=true | awk -F\" '!/aliases/ && $2 != "" {print $2}' | grep filebeat-))  
done  
  
for i in "${indexlists[@]}"  
do  
    echo "=====reindex filebeat for geo_point ======="  
    curl -v -XPOST "http://elasticsearch:9200/_reindex" -H 'Content-Type: application/json' -d'{ "source": { "index": "'$i'" }, "dest": { "index": "'$i-reindex'" } }'  
done  
      
#curl -XDELETE "http://elasticsearch:9200/filebeat-*"  
#curl -XPUT "http://elasticsearch:9200/filebeat"  
  
tail -f /dev/null  
  
  

* template_filebeat.json  is from

GET _cat/indices?v
you can see some index like

GET filebeat-6.4.2-2018.11.19

ok use your mappings replace this mappings

  
  
{  
  "index_patterns": ["filebeat*"],  
  "settings": {  
    "number_of_shards": 1  
  },  
  "mappings": {  
    "doc": {  
      "properties": {  
        "@timestamp": {  
          "type": "date"  
        },  
  
  ...  
  
}  
  

Only replace mappings. Official website have example.
https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-templates.html

And  Change

“coordinates”: {
“type”: “float”  => “geo_point”
},
Save file name：template_filebeat.json  

Usually new docker elk logstash already have geoip. add_field like picture and mutate add some item. Here is change type with templates.

Back shell, move to  =====Get kibana idnex lists=====

This is get use indexlist now after used late.

Then reindex

Why do this Because reindex let  geo_point  remake.  Already inside index. corrdinates type is float.

If you want to change type, usually get error or maybe success, success is fake.

So only use reindex, let it can do.
https://medium.com/@sami.jan/fundamentals-of-elasticsearch-cbb273160f60

I think use docker elk logstash kibana that want to use quickly. Setting config must set default. Change config only use docker image offer. So docker image No offer and don’t change docker image, only use API. But API not everything same use config.

All step

1、elk put template for geo_point

“coordinates”: {
   “type”: “geo_point”
},

2、get already used idnex

3、reindex  a -> a_reindex

4、Visualize ->  create a visualizaition -> Coordinate Map -> choese Filter  “filebeat-*”  Maybe your different name, by default index

-> Buckets -> Geo Coordinates -> Aggregation -> Geohash -> Field -> Geoip.coordinates  (geo_point)  -> RUN

Now 100% can see map.