Can we create two GeoIP Filters in one logstash config file?

Cody_Betsworth · July 15, 2016, 3:39pm

geoip {
source => "srcip"
database => "/etc/logstash/geo/custom_geoip.dat"
target => "src_geoip"
add_field => [ "[src_geoip][coordinates]", "%{[src_geoip][longitude]}" ]
add_field => [ "[src_geoip][coordinates]", "%{[src_geoip][latitude]}" ]
}
mutate {
convert => [ "[src_geoip][coordinates]", "float"]
}
geoip {
source => "dstip"
database => "/etc/logstash/geo/custom_geoip.dat"
target => "dst_geoip"
add_field => [ "[dst_geoip][coordinates]", "%{[dst_geoip][longitude]}" ]
add_field => [ "[dst_geoip][coordinates]", "%{[dst_geoip][latitude]}" ]
}
mutate {
convert => [ "[dst_geoip][coordinates]", "float"]
}

Tried to split them this way again. I had to do this also with previous versions of elasticsearch. Still receive the same result. Here is the geoip configuration with the changes. src_geoip coordinates and dst_geoip coordinates still show up as a number are not defined as geopoint on the mapping.

output {
elasticsearch {
hosts => "10.x.x.x"
index => "logstash-fortinet-%{+YYYY.MM.dd}"
template_name => "fortinet*"
template => "/etc/logstash/templates/elasticsearch-fortinet.json"
manage_template => "true"
template_overwrite => "true"
}
}

Template mapping

{
"template" : "fortinet*",
"settings" : {
"index.refresh_interval" : "5s"
},
"mappings" : {
"default" : {
"_all" : {"enabled" : true, "omit_norms" : true},
"dynamic_templates" : [ {
"message_field" : {
"match" : "message",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fielddata" : { "format" : "disabled" }
}
}
}, {
"string_fields" : {
"match" : "*",
"match_mapping_type" : "string",
"mapping" : {
"type" : "string", "index" : "analyzed", "omit_norms" : true,
"fielddata" : { "format" : "disabled" },
"fields" : {
"raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
}
}
}
} ],
"properties" : {
"@timestamp": { "type": "date" },
"@version": { "type": "string", "index": "not_analyzed" },
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "float" },
"longitude" : { "type" : "float" }
}
},
"dst_geoip" : {"type" : "object","dynamic": true,"properties" : {"location" : { "type" : "geo_point" }}},
"src_geoip" : {"type" : "object","dynamic": true,"properties" : {"location" : { "type" : "geo_point" }}}
}
}
}
}

Topic		Replies	Views
Can't get geoip working Logstash	10	533	August 5, 2020
Geoip is not generate .location Logstash	23	5301	August 1, 2017
Problems with geoip configuration Logstash	36	17938	July 6, 2017
Transforming logs into geo_point to draw them in kibana Elasticsearch	11	1153	March 28, 2023
GeoIP Fields != desired geo_point type Logstash	4	983	March 21, 2017

Can we create two GeoIP Filters in one logstash config file?

Related topics