Pipeline Function Request - to_geopoint

Graylog Central (peer support)
1

It would be helpful since we have GeoIP databases in Graylog to be able to use the proper datatype for the results instead of [keyword]

https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

Especially when interfacing with external systems like Grafana. This would be a nice, native way within Graylog to specify the appropriate datatype without mucking with template modifications on a per-index-set basis within Elasticsearch. I was honestly a bit shocked that I saw this…

Expected geo_point type on field [src_coordinates], but got [keyword]

I understand why Graylog isn’t storing it in that format from the lookup_value call natively, but currently there is no function to specify the appropriate type in the pipeline rules.

2

For reference:
https://github.com/Graylog2/graylog2-server/issues/4646

3

According to the second example at https://www.elastic.co/guide/en/elasticsearch/reference/5.6/geo-point.html, the whole thing should already work if you’re using a custom mapping for the respective fields, e. g. “src_coordinates” in your example.

From the Elasticsearch documentation:

PUT my_index
{
  "mappings": {
    "my_type": {
      "properties": {
        "location": {
          "type": "geo_point"
        }
      }
    }
  }
}

PUT my_index/my_type/2
{
  "text": "Geo-point as a string",
  "location": "41.12,-71.34" 
}

See http://docs.graylog.org/en/2.4/pages/configuration/elasticsearch.html#custom-index-mappings for details about custom index mappings in Graylog.

4

@jochen @lennart I explicitly stated above that this would be to avoid doing exactly that, modifying index templates, which again must be done on a per-index-set basis.

5

There’s no way around specifying the data types for your message fields (i. e. create an explicit index mapping).

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.