使用logstash的geoip filter, 可以将访问的IP转换成经纬度, 这里需要注意的是,在地图上展示的字段类型必须是geo_point, 这样就需要将geoip filter解析的geoip.location字段类型指定成geo_point;
建立nginx日志的索引模版,将geoip.location的type指定称为geo_point
注意:当logstash将数据output到ES中会默认建立一个索引模版,可以通过
curl -XGET 'http://ip:ip_port/_template查看到, 这里已经将geo.localtion字段的type指定成了geo_point, 如果你索引名使用logstash-*就不需要自己在去指定索引模版了;
curl -XPUT 'http://ip:ip_port/_template/template_ngx' -d
'
{
"template": "ngx*",
"settings": {
"index": {
"refresh_interval": "5s",
"number_of_shards": "3",
"number_of_replicas": "1"
}
},
"mappings": {
"_default_": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"_all": {
"norms": false,
"enabled": true
},
"properties": {
"@timestamp": {
"include_in_all": false,
"type": "date"
},
"geoip": {
"dynamic": true,
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"include_in_all": false,
"type": "keyword"
}
}
}
},
"aliases": {}
}
'
使用grafana的worldmap展示的时候,需要注意的点:
- Metrics页面Group by使用ES中点geoip.location字段
WX20170728-115757.png
- Worldmap的Map Data Options也需要将Location Data指定为geohash
WX20170728-115824.png
网友评论