That is not what I meant. You can simplify it a bit, as shown in the following simple example.
I created a small translation file named jsontranslate.yml:
'10.22.33.*': '{"geoip": {"latitude": 43.701535, "longitude": 7.281819}}'
'10.13.33.*': '{"geoip": {"latitude": 43.718560, "longitude": 7.265417}}'
This is used in the following simple config file, which assumes the message contains just the IP address:
input { stdin {} }
filter{
translate {
regex => true
dictionary_path => "./jsontranslate.yml"
field => "message"
}
json {
source => "translation"
}
}
output { stdout { codec => rubydebug} }
You should be able to expand on this to automatically populate the geoip information without having to do all the copying and mutating. It gives the following result when run:
$ echo 10.22.33.44 | logstash -f ./jsontranslate.conf
[2017-03-28T08:20:37,252][INFO ][logstash.pipeline ] Starting pipeline {"id"=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>500}
[2017-03-28T08:20:37,260][INFO ][logstash.pipeline ] Pipeline main started
[2017-03-28T08:20:37,308][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
{
"@timestamp" => 2017-03-28T07:20:37.253Z,
"geoip" => {
"latitude" => 43.701535,
"longitude" => 7.281819
},
"@version" => "1",
"translation" => "{\"geoip\": {\"latitude\": 43.701535, \"longitude\": 7.281819}}",
"message" => "10.22.33.44",
"tags" => []
}