Issue with geo_point mapping upon log import into ElasticSearch #11
Comments
|
+1 faced the same |
|
Just ran an even more accurate test to try and narrow this down. I created a brand new index using the existing Cloudflare pipeline and Cloudflare index template that I already submitted to Elastic. I also pulled a single JSON record from one of our edge logs that is getting dumped up to S3: This created a new index called “cloudflare-2020-05-18”. When I queried the index, it returned a valid result with geo_point information: So, everything on the Elastic side seems to be working. I’m suspecting more and more this is an issue with the Lambda function. It is using a deprecated bulk load method, so perhaps that is impacting this? Here is that warning: WARNING ... [types removal] Specifying types in bulk requests is deprecated." |
|
I have exactly the same issue. Any progress on this yet? |
|
This problem seems to be fixed in https://github.com/cloudflare/cloudflare-elastic/releases/tag/v0.3-7.x in the file named |
|
Yes, it fixed the geo_point mapping issue. I also had another similar issue with but i was able to add |
|
Hi @adrwh . Just getting back to this. I checked the link you provided above (https://github.com/cloudflare/cloudflare-elastic/releases/tag/v0.3-7.x), but I don't see any files called "cloudflare-elastic-aws.zip". The zip I downloaded, cloudflare-elastic-0.3-7.x.zip, only seems to have the source Java and nothing pre-packaged in a ZIP file. Can you please double-check and make sure I'm looking in the correct place? Unless perhaps gradlew needs to be run to recompile the code? I tried this previously when trying to debug the Java for the Lamdba function, but could not get this to run properly. |
|
@adrwh Jackpot! After recompiling successfully with gradlew and uploading to AWS, it is working now! Thanks a lot for your help! |
Hello. I'm attempting to leverage these Cloudflare Elastic integration config files and I'm running into an issue that is preventing the logs from being imported. Here is a detailed account of my issue:
I’m attempting to follow the instructions here:
https://developers.cloudflare.com/logs/analytics-integrations/elastic/
I’m not using the Elastic Cloud, but my own installation. I’ve got both ElasticSearch and Kibana set up and talking to each other, your ingest pipelines imported, the index template imported, the AWS lambda function deployed, and logs flowing into S3. When the Lamdba function is trying to send the logs into Elastic is where I’m encountering the issue.
I do see a ton of these errors in my “cluster.log” file on my Elastic EC2 server every time it seems to be trying to index logs:
[2020-05-20T12:06:31,803][INFO ][o.e.a.b.TransportShardBulkAction] [logs-node-1] [cloudflare-2020-05-18][0] mapping update rejected by primary
java.lang.IllegalArgumentException: mapper [source.geo.location] of different type, current_type [geo_point], merged_type [ObjectMapper]
Here is what I’m seeing in the AWS Cloudwatch logs from the Lamdba function:
So, this seems to be having an issue with the “geo-point” data type.
Looking in your cloudflare-index-template.json file, I do see this:
And I can see this mapping in the your “weekly” ingest pipeline:
Doing a quick bit of research, “geoip” seems to be available in Logstash:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html
I did not install Logstash since I didn’t think it was needed for this implementation. Looks like “geoip” might be used to derive all of the other properties (timezone, city, etc) all from the “ClientIP” field in the logs. However, I do see that this is also available as a default Elastic ingest processor:
https://www.elastic.co/guide/en/elasticsearch/reference/7.7/geoip-processor.html
When I run a quick API call against Elastic to look for available plugins, I do see geoip referenced:
GET "###.##.###.##:9243/_nodes/plugins" | python -m json.tool | grep geo
So, it does seem that I have this installed, as far as I can tell. I did a real quick test to make sure geoip is working properly. I ran a couple of API commands to create a small pipeline with just the “geoip”:
I then created a small index using that pipeline with just a random IP:
I then fetched the contents of the index:
So, it seems that geoip is working. However, the error message is targeting the “location” field specifically. Here, it looks to be an object (lat and lon values). I have also performed a more accurate test:
Create pipeline (pulled from the Cloudflare file):
Create index template mapping (pulled from the Cloudflare file):
Create index (index pattern matching above and pipline created above):
PUT /jmgindex-test/_doc/my_id?pipeline=jmggeoip
{"ClientIP":"8.8.8.8"}
Fetch the index:
GET /jmgindex-test/_doc/my_id
This call returns the following information:
So, as you can see, we are still getting latitude and longitude back. Now, let’s look at the field mapping:
Now, we are properly mapping to “geo_point”. However, while this example seems to be working, the ingest process I set up for Cloudflare is not working. So, there must be something about the setup process that is missing. Just to reiterate, here is the error I’m getting when your Lamdba function tries to insert a log into ElasticSearch:
[2020-05-20T12:06:31,803][INFO ][o.e.a.b.TransportShardBulkAction] [logs-node-1] [cloudflare-2020-05-18][0] mapping update rejected by primary
java.lang.IllegalArgumentException: mapper [source.geo.location] of different type, current_type [geo_point], merged_type [ObjectMapper]
This is why I’m hitting a wall. Everything “seems” to be setup properly from the Elastic side and I think the above proves the geo_point mapping and geoip functionality is working fine.
If this is a bug, please let me know. Otherwise, I would appreciate some assistance in narrowing down this issue. Thanks.
The text was updated successfully, but these errors were encountered: