i've got basic elk stack setup , passing logs via syslog. have used inbuilt grok patterns split logs in fields. field mappings auto-generated logstash elasticsearch plugin , unable customize them.
for instance, create new field name "dst-geoip" using logstash config file (see below):
geoip { database => "/usr/local/share/geoip/geolitecity.dat" ### change me location of geolitecity.dat file source => "dst_ip" target => "dst_geoip" fields => [ "ip", "country_code2", "country_name", "latitude", "longitude","location" ] add_field => [ "coordinates", "%{[dst_geoip][latitude]},%{[geoip][longitude]}" ] add_field => [ "dst_country", "%{[dst_geoip][country_code2]}"] add_field => [ "flow_dir", "outbound" ] } i want assign type "geo_point" cannot edit kibana. online documents mentions manually updating mapping on respective index using elasticsearch apis. logstash generates many indices (one per day). if update 1 index, mapping stay same in future indices?
what you're looking "template".
Comments
Post a Comment