Example geoip config that works LS/ES 5.1

paka · January 12, 2017, 3:02pm

Hello,

please does geoip work for someone in LS and ES 5.1, is there an example of configuration that works ?

I'm fighting with it whole day, trying all various things found in many issues also others apparently have with that, but nothing helps...

My last attempt is a minimalistic one - in logstash filter I have just:

geoip {
source => "[attrs][source]"
target => "geoip"
}

and in mapping template:

"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "float" },
"longitude" : { "type" : "float" }
}
}

but still I get error:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"parse_exception", "reason"=>"geo_point expected"}

Thanks in advance for your help,
Pavel

Troy_C · January 12, 2017, 3:05pm

Something like this works for me

geoip {
    source => "dst_ip"
    target => "geoip"
    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
    convert => [ "[geoip][coordinates]", "float"]
}

paka · January 12, 2017, 3:35pm

Thanks - I tried that, but got the same error as previously.

I tried also adding the following to the mapping:
"location" : { "type" : "geo_point", "ignore_malformed": true }
but the error is still the same, strange.

paka · January 13, 2017, 9:39am

Here is example data that I see coming out from logstash (using rybydebug output):

"geoip" => {
"timezone" => "Asia/Colombo",
"ip" => "112.135.80.183",
"latitude" => 6.6,
"coordinates" => [
[0] 79.95,
[1] 6.6
],
"continent_code" => "AS",
"city_name" => "Kalutara North",
"country_code2" => "LK",
"country_name" => "Sri Lanka",
"country_code3" => "LK",
"region_name" => "Western Province",
"location" => [
[0] 79.95,
[1] 6.6
],
"postal_code" => "12000",
"longitude" => 79.95,
"region_code" => "1"
},

The geoip.location seems to be array of two numbers, which according to doc should be one of valid formats of geo_point ES data type. But ES still refuses it with error
"type"=>"p"type"=>"parse_exception", "reason"=>"geo_point expected"arse_exception", "reason"=>"geo_point expected"

system · February 10, 2017, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ELK 5.2.1 - still can't get geoip working Logstash	18	2476	May 8, 2017
Error with basic geo_point setup in logstash Logstash	4	2195	May 10, 2017
Logstash Setup with GeoIP Logstash	18	2301	October 9, 2019
Can Anyone tell each and every step of how to use geoIP with logstash and kibana? Logstash	12	1920	October 24, 2017
Updated geoip Elasticsearch	12	620	March 8, 2021

Example geoip config that works LS/ES 5.1

Related topics