As nothing came on the "Tile Maps, all looking like:

I found out the mapping for the geo.location field was wrong (look here:

root@elkserver1:/etc/logstash/conf.d# curl http://localhost:9200/filebeat-2016.12.28/_mapping/apache/field/geoip.location?pretty
  "filebeat-2016.12.28" : {
    "mappings" : {
      "apache" : {
        "geoip.location" : {
          "full_name" : "geoip.location",
          "mapping" : {
            "location" : {
              "type" : "float"

This should (according to the article not be:

"mapping" : {"location" : {"type" : "float"}}



This is for sure because I use "filebeat" as index for apache logs, and not "logstash" as is default (if logstash ships directly to Elasticseach). The filebeat template in /etc/filebeat/filebeat.template.json has no geo/location mappings, and I am not sure its even used; as Elasticseach just creates the index upon getting data in..

In /etc/logstash/conf.d/10-beats-input.conf I do have:

geoip {
      source => "clientip"
      target => "geoip"
      database => "/etc/logstash/GeoLite2-City.mmdb"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
    mutate {
      convert => [ "[geoip][coordinates]", "float"]

but that seems to be "not enough" (sad) - possibly because I have no output template defined in /etc/logstash/conf.d/30-elasticsearch-output.conf we need to change this:

As a test, I changed the Logstash config, so the type=apache went into the Logstash index, and the Geomapping just worked...