I have a field client.ip that needs to get geo info. I tried below GeoIP filter but it didn't work. Looks like GeoIP does not work with a subfield. Please advise.
filter {
if [client][ip] {
geoip {
source => "[client][ip]"
target => "[client][ip][geo]"
}
}
}
I tried to add a new top field as below and received the expected results. Is there a way to work directly with the subfield [client][IP]?
filter {
if [client][ip] {
mutate {add_field => {"client_ip" => "%{[client][ip]}"}}
geoip {
source => "client_ip"
target => "client_geo"
}
}
}
Read you logstash log. It will contain a message like this. I know it is not helpful (I think the wording is flat out wrong, because [foo] is a string, so "not either a map or a string" should evaluate false, not true, but that's just me)
Pipeline worker error, the pipeline will be stopped {:pipeline_id=>"main", :error=>"Could not set field 'geo' on object '192.188.44.3' to value '{}'.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string",
Setting target => "[client][ip][geo]" means [client][ip] has to be an object, but it is a string, so you cannot create another field within it. Change your configuration to use target => "[client][geo]" or anything else except its current value.
I fixed it following your guide. Thank you for your detailed clarification.