Filebeat GeoIP not working with dotted field

I'm trying to ingest Windows IIS logs with the Filebeat IIS module.

The pipeline that Filebeat has automatically defined for this includes GeoIP lookups, e.g.:

  "geoip" : {
      "field" : "source.ip",
      "target_field" : "source.geo",
      "ignore_missing" : true
  }

However, I noticed the geo fields were never present.

I recreated this manually by following the guide here:

https://www.elastic.co/guide/en/beats/filebeat/7.7/filebeat-geoip.html

First I created the pipeline:

PUT _ingest/pipeline/geoip-info
{
  "description": "Add geoip info",
  "processors": [
    {
      "geoip": {
        "field": "source.ip"
      }
    }
  ]
}

Then I tried ingesting a document through the pipeline:

PUT geoip-test2/_doc/my_id?pipeline=geoip-info
{
  "source.ip": "8.8.8.8"
}

This gives the following output:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "illegal_argument_exception",
        "reason" : "field [source] not present as part of path [source.ip]"
      }
    ],
    "type" : "illegal_argument_exception",
    "reason" : "field [source] not present as part of path [source.ip]"
  },
  "status" : 400
}

It does work if I manually change it to:

PUT geoip-test2/_doc/my_id?pipeline=geoip-info
{
  "source": {
  "ip": "8.8.8.8"
  }
}

I assume this is also the reason why the Filebeat data never gets GeoIP information.

As far as I can tell I'm following the defaults provided (Filebeat's own default IIS module) and the documentation as found in the manual.

Am I missing something or is the documentation/default module wrong?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.