Adding GeoIP using logstash

Hi,

I am trying to add geoip detail for my data. I only want the longitude and latitude value.

I have the below filter config.

filter {
if [label] == "edge" {
geoip {
source => "ip_src"
target => "sg"
database => "/opt/logstash/GeoLiteCity.dat"
fields => ["latitude", "longitude"]
}
geoip {
source => "ip_dst"
target => "dg"
database => "/opt/logstash/GeoLiteCity.dat"
fields => ["latitude", "longitude"]
}
mutate {
remove_field => [ "[sg][country_code2]", "[sg][country_name]", "[dg][country_code2]", "[dg][country_name]"]
convert => [ "[sg][latitude]", "float"]
convert => [ "[sg][longitude]", "float"]
convert => [ "[dg][latitude]", "float"]
convert => [ "[dg][longitude]", "float"]
}
}
}

logstash thorughs an error saying [geoip] has unsupported parameters:

below are the logstash logs.

"type"=>"nf", "sg"=>{"latitude"=>43.783199999999994, "longitude"=>-111.7656}, "dg"=>{"latitude"=>37.44040000000001, "longitude"=>-121.87049999999999}}, "ip_dst"], "dg"=>[{"ip_src"=>"205.185.99.106", "port_dst"=>80, "tos"=>0, "tag"=>0, "label"=>"edge", "peer_ip_src"=>"10.0.12.252", "as_dst"=>0, "as_src"=>209, "iface_in"=>57, "iface_out"=>29, "stamp_inserted"=>"2016-07-15 13:06:00", "ip_dst"=>"199.59.225.179", "tcp_flags"=>"26", "bytes"=>1297, "port_src"=>1565, "ip_proto"=>"tcp", "stamp_updated"=>"2016-07-15 13:09:01", "packets"=>4, "@version"=>"1", "@timestamp"=>"2016-07-15T13:09:01.391Z", "type"=>"nf", "sg"=>{"latitude"=>43.783199999999994, "longitude"=>-111.7656}, "dg"=>{"latitude"=>37.44040000000001, "longitude"=>-121.87049999999999}}, "dg"], "[dg][latitude]"=>[{"latitude"=>37.44040000000001, "longitude"=>-121.87049999999999}, "latitude"], "[dg][longitude]"=>[{"latitude"=>37.44040000000001, "longitude"=>-121.87049999999999}, "longitude"], "[sg][country_code2]"=>[{"latitude"=>43.783199999999994, "longitude"=>-111.7656}, "country_code2"], "[sg][country_name]"=>[{"latitude"=>43.783199999999994, "longitude"=>-111.7656}, "country_name"], "[dg][country_code2]"=>[{"latitude"=>37.44040000000001, "longitude"=>-121.87049999999999}, "country_code2"], "[dg][country_name]"=>[{"latitude"=>37.44040000000001, "longitude"=>-121.87049999999999}, "country_name"]}>>], :response=>{"index"=>{"_index"=>"logs_2016_07_15", "_type"=>"nf", "_id"=>nil, "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"Failed to parse mapping [default]: Mapping definition for [geoip] has unsupported parameters: [path : full]", "caused_by"=>{"type"=>"mapper_parsing_exception", "reason"=>"Mapping definition for [geoip] has unsupported parameters: [path : full]"}}}}, :level=>:warn}

can anyone help me on this...

Either upgrade your Logstash or start using an index template that doesn't include "path: full" for the geoip field. See https://github.com/logstash-plugins/logstash-output-elasticsearch/commit/3b8920864ed09793a79bdb54ae1856d948a3a20c.

Thanks Magnus.. Removing the "path:full" option fixed the issue.