Adding GeoIP pipeline to APM data

Scott_Chapman1 · May 1, 2023, 5:36pm

Hi, We're essentially on ES 8.7 and I've interested on adding Geo Location data to our APM data from our Java application.

I did see what I think is an old post that talked about it, but I suspect that a new mechanism was introduced with @custom processors?

What is the recommended mechanism for this? FWIW we're not using RUM.

Scott_Chapman1 · May 1, 2023, 8:08pm

OK, I actually made some progress myself. I created a pipeline called metrics-apm@custom and had it search for a custom label that I had to add for the user's public IP address. However, then I test the pipeline against a sample document I see a tag on the result of _geoip_database_unavailable_GeoLite2-City.mmdb.

I did the example test here and that all seemed to work just fine.

It looks to me like the processor config is exactly the same, but the sample works, but my custom one does not?

stephenb · May 1, 2023, 8:11pm

There is a little edge case where the DBs are lazy loaded the first time... check the APM data again.

Is it still saying the same thing?

Otherwise can you share your exact custom pipeline?

And a sample document

Scott_Chapman1 · May 1, 2023, 8:37pm

So here's my doc:

[
  {
    "_id": "Something",
    "_index": "whatever",
    "_source": {
      "labels": {
        "IP": "100.20.56.87"
      }
    }
  }
]

Processor:

[
  {
    "geoip": {
      "field": "labels.IP",
      "ignore_missing": true
    }
  }
]

Output looks like:

{
  "docs": [
    {
      "doc": {
        "_index": "whatever",
        "_id": "Something",
        "_version": "-3",
        "_source": {
          "labels": {
            "IP": "100.20.56.87"
          },
          "tags": [
            "_geoip_database_unavailable_GeoLite2-City.mmdb"
          ]
        },
        "_ingest": {
          "timestamp": "2023-05-01T20:34:45.576782612Z"
        }
      }
    }
  ]
}

So I did just notice that I get SOME results occasionally when I do the test with the above document. But maybe just 25%

stephenb · May 1, 2023, 8:47pm

What does "We're essentially on ES 8.7" mean

There was a change in some behavior...
What type of cluster are you running? Self Managed Node, Elastic Cloud etc? how many nodes?...

Perhaps the GeoIP db settings are not consistent on all the nodes, which can result in intermittent results.

Is that output from the pipeline simulate? How are you testing, hard to tell without the actual commands... or are you doing that in the Ingest Pipeline Tester in Kibana?

Try this from this post

Disable the geoip databases

PUT _cluster/settings
{
  "persistent": {
    "ingest.geoip.downloader.enabled" : false
  }
}

GET _cat/indices/.ge*?v

GET _ingest/geoip/stats

Wait about 2 mins then re-enable

PUT _cluster/settings
{
  "persistent": {
    "ingest.geoip.downloader.enabled" : true
  }
}

GET _cat/indices/.ge*?v

GET _ingest/geoip/stats

Also how are you directing these request... only ingest nodes have the geoip database so you if you direct the request to a data only node (not and ingest) it will fail.

Scott_Chapman1 · May 1, 2023, 9:01pm

Sorry, 8.6.2 (doesn't round up! ). Self-managed node.
I am running the test in Kibana.
The stats look good:

{
    "stats": {
        "successful_downloads": 3,
        "failed_downloads": 0,
        "total_download_time": 14420,
        "databases_count": 3,
        "skipped_updates": 0,
        "expired_databases": 0
    },
    "nodes": {
        "m1JBAEpIQASeJp4ktyEaFQ": {
            "databases": [
                {
                    "name": "GeoLite2-Country.mmdb"
                },
                {
                    "name": "GeoLite2-ASN.mmdb"
                },
                {
                    "name": "GeoLite2-City.mmdb"
                }
            ],
            "files_in_temp": [
                "GeoLite2-ASN.mmdb_elastic-geoip-database-service-agreement-LICENSE.txt",
                "GeoLite2-ASN.mmdb_LICENSE.txt",
                "GeoLite2-City.mmdb_LICENSE.txt",
                "GeoLite2-Country.mmdb_elastic-geoip-database-service-agreement-LICENSE.txt",
                "GeoLite2-ASN.mmdb",
                "GeoLite2-City.mmdb_COPYRIGHT.txt",
                "GeoLite2-City.mmdb",
                "GeoLite2-City.mmdb_elastic-geoip-database-service-agreement-LICENSE.txt",
                "GeoLite2-Country.mmdb_LICENSE.txt",
                "GeoLite2-ASN.mmdb_COPYRIGHT.txt",
                "GeoLite2-Country.mmdb",
                "GeoLite2-Country.mmdb_COPYRIGHT.txt",
                "GeoLite2-City.mmdb_README.txt"
            ]
        },
        "yYLvtvJ0Qgav4mzrU4e7sQ": {
            "databases": [
                {
                    "name": "GeoLite2-Country.mmdb"
                },
                {
                    "name": "GeoLite2-ASN.mmdb"
                },
                {
                    "name": "GeoLite2-City.mmdb"
                }
            ],
            "files_in_temp": [
                "GeoLite2-ASN.mmdb_elastic-geoip-database-service-agreement-LICENSE.txt",
                "GeoLite2-ASN.mmdb_LICENSE.txt",
                "GeoLite2-City.mmdb_LICENSE.txt",
                "GeoLite2-Country.mmdb_elastic-geoip-database-service-agreement-LICENSE.txt",
                "GeoLite2-ASN.mmdb",
                "GeoLite2-City.mmdb_COPYRIGHT.txt",
                "GeoLite2-City.mmdb",
                "GeoLite2-City.mmdb_elastic-geoip-database-service-agreement-LICENSE.txt",
                "GeoLite2-Country.mmdb_LICENSE.txt",
                "GeoLite2-ASN.mmdb_COPYRIGHT.txt",
                "GeoLite2-Country.mmdb",
                "GeoLite2-Country.mmdb_COPYRIGHT.txt",
                "GeoLite2-City.mmdb_README.txt"
            ]
        }
    }
}

stephenb · May 1, 2023, 9:12pm

2 Nodes? Exactly? are there more nodes?

"I am running the test in Kibana."

Multiple ways of running the tests ... are you running them in Dev Tools or the Ingest Pipeline Constructor?

Did you try my disable and enable settings the geoip settings above and test again?

Apologies when things are intermittent every detail counts ...

Scott_Chapman1 · May 1, 2023, 9:20pm

Exactly 2 ingestion nodes.
I am using the Test Pipeline in the pipeline editor in Kibana.
I did disable, and re-enable the setting.

stephenb · May 1, 2023, 9:28pm

So there are other nodes? Are There data only nodes?

Good ... And the tests now?..... are they still intermittent?

Personally, I would use Dev Tools for Testing using Pipeline Simulate

Is Kibana pointed to an Ingest Node?

Is the APM Server only pointed ONLY to the ingestion nodes?

I suspect it's possible you are directing requests to data only nodes ... I would think the coordinator part should re-direct but for some reason... I am not completely clear on that ... and don't have an easy way to test right now...

If the behavior is still inconsistent I would check that all the requests that need GeoIP are being directed to the ingest nodes.

Scott_Chapman1 · May 1, 2023, 9:41pm

Thanks. Maybe I should (for now) ignore my testing strategy.
I did create a VERY simple pipeline to add a new field to my APM App data named metrics-apm@custom. But I am not seeing the new field get added to that data.

Scott_Chapman1 · May 1, 2023, 9:43pm

I have 3 master nodes, 2 data-hot nodes, 2 ingest nodes, 1 APM server

stephenb · May 1, 2023, 9:44pm

Yup that is the very first thing I do whenever I integrate a new pipeline ... I use a set processor and add a field pipeline_run: true

stephenb · May 1, 2023, 9:52pm

If you are trying to add the geoip to the APM transactions that is not the correct data stream...

Think you want to look at the following

Data Stream : traces-apm-default

data_stream.dataset: apm
data_stream.namespace: default
data_stream.type: traces

The datastream you are looking at is for APM Metrics (which is aggregated data)
How familiar are you with Sample Rate etc...

Only Sampled Transactions will / should have IP details etc that can be geoip'd

This may help you understand it a bit more

github.com

elastic/kibana/blob/main/x-pack/plugins/apm/dev_docs/apm_queries.md

### Table of Contents

- [Transactions](#transactions)
- [Transactions in service inventory page](#transactions-in-service-inventory-page)
- [System metrics](#system-metrics)
- [Span breakdown metrics](#span-breakdown-metrics)
- [Service destination metrics](#service-destination-metrics)
- [Common filters](#common-filters)

---

### Data model

Elastic APM agents capture different types of information from within their instrumented applications. These are known as events, and can be spans, transactions, errors, or metrics. You can find more information [here](https://www.elastic.co/guide/en/apm/get-started/current/apm-data-model.html).

### Running examples

You can run the example queries on the [edge cluster](https://edge-oblt.elastic.dev/) or any another cluster that contains APM data.

# Transactions

This file has been truncated. show original

Scott_Chapman1 · May 2, 2023, 1:08am

Yea, my pipeline was for metrics-apm and I was looking at the documents in the data_stream.type: metrics and weren't seeing the additional field.

Scott_Chapman1 · May 2, 2023, 2:25pm

FWIW I did also add a simple pipeline for traces as well, also just appends a new field/value and I am not seeing any evidence that is getting leveraged either.

I am clearly missing something...

Scott_Chapman1 · May 2, 2023, 7:02pm

OK, I think I got it working. Not sure what the problem was, but restarting my nodes appeared to resync some data. Looks good now. Thanks!

system · May 23, 2023, 3:02pm

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.