Example geoip config that works LS/ES 5.1

paka · January 12, 2017, 3:02pm

Hello,

please does geoip work for someone in LS and ES 5.1, is there an example of configuration that works ?

I'm fighting with it whole day, trying all various things found in many issues also others apparently have with that, but nothing helps...

My last attempt is a minimalistic one - in logstash filter I have just:

geoip {
source => "[attrs][source]"
target => "geoip"
}

and in mapping template:

"geoip" : {
"type" : "object",
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "float" },
"longitude" : { "type" : "float" }
}
}

but still I get error:
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse", "caused_by"=>{"type"=>"parse_exception", "reason"=>"geo_point expected"}

Thanks in advance for your help,
Pavel

Troy_C · January 12, 2017, 3:05pm

Something like this works for me

geoip {
    source => "dst_ip"
    target => "geoip"
    add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
    add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
    convert => [ "[geoip][coordinates]", "float"]
}

paka · January 12, 2017, 3:35pm

Thanks - I tried that, but got the same error as previously.

I tried also adding the following to the mapping:
"location" : { "type" : "geo_point", "ignore_malformed": true }
but the error is still the same, strange.

paka · January 13, 2017, 9:39am

Here is example data that I see coming out from logstash (using rybydebug output):

"geoip" => {
"timezone" => "Asia/Colombo",
"ip" => "112.135.80.183",
"latitude" => 6.6,
"coordinates" => [
[0] 79.95,
[1] 6.6
],
"continent_code" => "AS",
"city_name" => "Kalutara North",
"country_code2" => "LK",
"country_name" => "Sri Lanka",
"country_code3" => "LK",
"region_name" => "Western Province",
"location" => [
[0] 79.95,
[1] 6.6
],
"postal_code" => "12000",
"longitude" => 79.95,
"region_code" => "1"
},

The geoip.location seems to be array of two numbers, which according to doc should be one of valid formats of geo_point ES data type. But ES still refuses it with error
"type"=>"p"type"=>"parse_exception", "reason"=>"geo_point expected"arse_exception", "reason"=>"geo_point expected"

system · February 10, 2017, 9:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.