Hi Christian. I tried something simple. I ues 2 yaml files : latitude.yml and longitude.yml
latitude.yml
10.22.33.: "43.701535"
10.13.33.: "43.718560"
10.23.33.: "43.718560"
10.12.96.: "43.678237"
longitude.yaml
10.22.33.: "7.281819"
10.13.33.: "7.265417"
10.23.33.: "7.265417"
10.12.96.: "7.228675"
and my filter conf :
filter {
if "[event_data][IpAddress]" =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/ {
translate {
dictionary_path => "/etc/logstash/mutate/nca-latitude.yml"
field => "[event_data][IpAddress]"
destination => "[geoip][latitude]"
override => true
}
translate {
dictionary_path => "/etc/logstash/mutate/nca-longitude.yml"
field => "[event_data][IpAddress]"
destination => "[geoip.longitude]"
}
mutate {
convert => { "[geoip][longitude]" => "float" }
convert => { "[geoip][latitude]" => "float" }
}
}
}
I want to match the IP in my field "[event_data][IpAddress]" with one of my yaml file and add
"[geoip][longitude]" and "[geoip][latitude]"
I don't knom if the star at the end of each ip is the right thing to do (* should be 0 to 255).
Thanks for help and advices