Example geoip config that works LS/ES 5.1

paka · January 12, 2017, 3:02pm

Hello,

please does geoip work for someone in LS and ES 5.1, is there an example of configuration that works ?

I'm fighting with it whole day, trying all various things found in many issues also others apparently have with that, but nothing helps...

My last attempt is a minimalistic one - in logstash filter I have just:

geoip {
source => "[attrs][source]"
target => "geoip"
}

and in mapping template:

"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "float" },
"longitude" : { "type" : "float" }
}
}

but still I get error:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"parse_exception", "reason"=>"geo_point expected"}

Thanks in advance for your help,
Pavel

Troy_C · January 12, 2017, 3:05pm

Something like this works for me

geoip {
    source => "dst_ip"
    target => "geoip"
    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
    convert => [ "[geoip][coordinates]", "float"]
}

paka · January 12, 2017, 3:35pm

Thanks - I tried that, but got the same error as previously.

I tried also adding the following to the mapping:
"location" : { "type" : "geo_point", "ignore_malformed": true }
but the error is still the same, strange.

paka · January 13, 2017, 9:39am

Here is example data that I see coming out from logstash (using rybydebug output):

"geoip" => {
"timezone" => "Asia/Colombo",
"ip" => "112.135.80.183",
"latitude" => 6.6,
"coordinates" => [
[0] 79.95,
[1] 6.6
],
"continent_code" => "AS",
"city_name" => "Kalutara North",
"country_code2" => "LK",
"country_name" => "Sri Lanka",
"country_code3" => "LK",
"region_name" => "Western Province",
"location" => [
[0] 79.95,
[1] 6.6
],
"postal_code" => "12000",
"longitude" => 79.95,
"region_code" => "1"
},

The geoip.location seems to be array of two numbers, which according to doc should be one of valid formats of geo_point ES data type. But ES still refuses it with error
"type"=>"p"type"=>"parse_exception", "reason"=>"geo_point expected"arse_exception", "reason"=>"geo_point expected"

system · February 10, 2017, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Setup with GeoIP Logstash	18	2283	October 9, 2019
Updated geoip Elasticsearch	12	620	March 8, 2021
Template mapping examples not clear for geoip Logstash	6	520	February 25, 2019
Geoip configuration problem Logstash	1	751	July 6, 2017
Logstash 2.3 - GeoIP problem Logstash	19	1466	November 28, 2017

Example geoip config that works LS/ES 5.1

Related Topics