Open lucabusin opened 2 years ago
Do you have a ticket with the Managed AWS OpenSearch support yet? I think you should open one.
Hi, @dblock Sorry. No I haven't. I'll do that. So you are saying that what I've done looks ok from what you can see?
Am I wrong to read this as something specific to the Amazon Managed OpenSearch service? Can you reproduce the same problem in OpenSearch OSS?
I have a similar problem.
Opensearch 2.3.0 Logstash OSS 8.4.0 Ubuntu 20.04.5
filter:
geoip {
database => "/opt/logstash/geoip/GeoLite2-City.mmdb"
source => "visitor_ip"
target => "geoip"
}
In discover, I see only geoip.geo.location.lon and geoip.geo.location.lat
At the same time, there is data in json:
"geoip": {
"geo": {
"location": {
"lon": 24.7323,
"lat": 59.433
},
"country_name": "Estonia",
"country_iso_code": "EE",
"city_name": "Tallinn"
},
"ip": "XX.XX.XX.XX"
}
},
I have a similar problem.
Opensearch 2.3.0 Logstash OSS 8.4.0 Ubuntu 20.04.5
filter:
geoip { database => "/opt/logstash/geoip/GeoLite2-City.mmdb" source => "visitor_ip" target => "geoip" }
In discover, I see only geoip.geo.location.lon and geoip.geo.location.lat
At the same time, there is data in json:
"geoip": { "geo": { "location": { "lon": 24.7323, "lat": 59.433 }, "country_name": "Estonia", "country_iso_code": "EE", "city_name": "Tallinn" }, "ip": "XX.XX.XX.XX" } },
The problem was solved by adding a parameter ecs_compatibility => "disabled"
Describe the bug The geoip filter in logstash generates a
geopoint.location
field, among others, that should be recognised asgeo_json
field but is instead split into 2 separate fields,geopoint.location.lon
andgeopoint.location.lat
as numbers. This prevents the location to be used in map visualisations.To Reproduce Steps to reproduce the behavior:
Add this to the logstash filter (in my case the ip address is nested inside
log_message
)location
is not recognised as ageo_point
but instead I see 2 separate number fieldsgeopoint.location.lon
andgeopoint.location.lat
despite the template containing the following:Expected behavior
geopoint.location
should not be split into separate fields but recognised asgeo_point
type.Host/Environment (please complete the following information):
Additional context According to this page on AWS OpenSearch docs,
ecs_compatibility
must be set todisabled
. This is relevant to the geoip filter and its mentioned it causes the filter to generate different outputs. At this point I wonder if this is the culprit since I cannot try another installation of OpenSearch other than the one I have on AWS.Here is my "full" logstash config if relevant: