Unable to display world map on geolocation fields

Graylog Add-ons
1

I have recently setup geolocation for IP Addresses as per http://docs.graylog.org/en/2.2/pages/geolocation.html
I have a field called clientIp and the GeoIP Extractor is creating clientIp_city_name, clientIp_contry_code and clientIp_geolocation fields. The contents of the geolocation field looks correct to me (for example,
37.751,-97.822). When I attempt to view the world map, I get the error below in the graylog server logs:

ERROR [MapDataResource] Map data query failed: Invalid geo data term for field "clientIp_geolocation": 118.244 (required: <lat>,<lng> - example: 1.23,3.11)

There is no clientIp_geolocation field that is just 118.244. When I search for 118.244 I get 34.0544,-118.244.

I am using Graylog 2.2.3

Any help that can be provided would be appreciated!!

2

This looks indeed strange.

Please pick one of the messages which triggers this error message and use its ID and index (which you can find as “Stored in index” when clicking on a message on the search page) to find it in Elasticsearch and post it here.

Example with message ID “009ac440-9465-11e7-9ebd-06c919f0e5a9” and index “graylog_23”:

# curl 'http://elasticsearch.example.org:9200/graylog_42/message/009ac440-9465-11e7-9ebd-06c919f0e5a9?pretty'
3

Here is a current example of a problematic geolocation field.
I’ve removed most of the contents of the event but the geolocation information is as it was returned by ElasticSearch

{
  "_index" : "graylog_77",
  "_type" : "message",
  "_id" : "6a5a9f71-94a8-11e7-a3f4-02afad5e36af",
  "_version" : 1,
  "found" : true,
  "_source" : {  
    "gl2_remote_ip" : "redacted",
    "gl2_remote_port" : 42774,
    "source" : "server1",
    "gl2_source_input" : "591a32931cfda8712c6aa1f9",
    "message" : "redacted",   
    "clientIp_geolocation" : "33.749,-84.388",
    "application_name" : "web",
    "thread_name" : "http-nio-8443-exec-23",
    "level" : "INFO",
    "gl2_source_node" : "db850f71-fe07-4715-b1b8-6582c8eb14c0",
    "timestamp" : "2017-09-08 15:14:31.000",
    "level" : 6,
    "service" : "web",
    "responseTime" : 94,
    "streams" : [ "58e6e6a11cfda8712c349edf" ],
    "clientIp" : "redacted",
    "message" : "{redacted}",
    "clientIp_country_code" : "US",
    "clientIp_city_name" : "N/A",
    "facility" : "user-level",
    "logger_name" : "com.filters.GlobalFilter"
  }
}
4

Hi Jochen. Was the information I provided last week helpful in finding the cause of our map widget problem?

5

As far as I see this should work.

Feel free to file a bug report at https://github.com/Graylog2/graylog-plugin-map-widget/ and include a recent example message, the index mapping (see Get Mapping), and the complete logs of your Graylog node.

6

While creating a github issue, I reproduced the error with the quick values widget open when I noticed that quick values was showing the latitude and longitude values as separate values. This made me check the analyzer settings for the field in ElasticSearch. It tuns out we have an index template that causes this field to be mapped as a string with the standard analyzer. Creating a new extractor to put this into a namespace that does not apply to the index template resolved my issue.

Thank you for your support!

7

Glad you could find the cause of the error.

It would be great if you could open a bug report at https://github.com/graylog2/graylog-plugin-map-widget/issues with your findings.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.