kibana geo_point How to Part 4

1. Change logstash add fields or grok some fields. Kibana DISCOVER Table can see new fields & !

2. Kibana Management -> Index Patterns can “Fefresh field list”   ! will be disappear.

3. Logstash set some fields Type “geo_point”. see Kibana DISCOVER Table field Type still “TEXT”. Try to delete index.

GET _cat/indices?v
GET _cat/indices?v&s=index

GET filebeat-6.5.1-2018.12.06

DELETE filebeat-6.5.1-2018.12.06

After DELETE index (real index), index rebuiled. Geo_point usually can see.

4. Every things sure is ok, export index-pattern.json
https://sueboy.blogspot.com/2018/11/kibana-default-index-pattern.html

==========
Mutil geo_ip

logstash

 geoip {  
    source => "filebeatserverip"  
    target => "filebeatserveripgeoip"  
    add_field => [ "[filebeatserveripgeoip][coordinates]", "%{[filebeatserveripgeoip][longitude]}" ]  
    add_field => [ "[filebeatserveripgeoip][coordinates]", "%{[filebeatserveripgeoip][latitude]}" ]  
  }  
  
  mutate {  
    convert => ["[filebeatserveripgeoip][coordinates]", "float"]  
  }

filebeatserverip：filebeat server ip

/etc/filebeat.yml

  
- type: log  
  paths:  
    - /var/log/*.log  
  exclude_files: ['.gz$']  
  tags: ["xxx.xxx.xxx.xxx"]  
  fields:  
    filebeatserverip: "xxx.xxx.xxx.xxx"  
  fields_under_root: true  

xxx.xxx.xxx.xxx put server ip, then logstash can get “filebeatserverip” field

filebeatserveripgeoip： usually demo is geoip. Some log have src_ip dest_ip client_ip…etc

template_filebeat (template_filebeat.json)

  
{  
  "index_patterns": ["filebeat*", "heartbeat*"],  
  "settings": {  
    "number_of_shards": 1  
  },  
  "mappings": {  
    "doc": {  
      "properties": {  
        "geoip.location": {  
          "type": "geo_point"  
        },  
        "geoip.coordinates": {  
          "type": "geo_point"  
        },  
        "filebeatserveripgeoip.coordinates": {  
          "type": "geo_point"  
        }  
      }  
    }  
  }  
    
}  

send template_filebeat.json to elasticseart

curl -v -XPUT elasticsearch:9200/_template/template_filebeat -H ‘Content-Type: application/json’ -d @/usr/share/config/template_filebeat.json

Then

GET _cat/indices?v

GET filebeat-6.5.1-2018.12.06

DELETE filebeat-6.5.1-2018.12.06

GET _cat/indices?v

GET filebeat-6.5.1-2018.12.06

If index rebuild, Kibana DISCOVER table will be see.