GeoIP filter does not work with a subfield

austin0918 · June 9, 2022, 1:44am

I have a field client.ip that needs to get geo info. I tried below GeoIP filter but it didn't work. Looks like GeoIP does not work with a subfield. Please advise.

filter {
	if [client][ip] {
		geoip {
			source => "[client][ip]"
			target => "[client][ip][geo]"
		}
	}
}

I tried to add a new top field as below and received the expected results. Is there a way to work directly with the subfield [client][IP]?

filter {
	if [client][ip] {
		mutate {add_field => {"client_ip" => "%{[client][ip]}"}}
		geoip {
			source => "client_ip"
			target => "client_geo"
		}
	}
}

Badger · June 9, 2022, 2:25am

Read you logstash log. It will contain a message like this. I know it is not helpful (I think the wording is flat out wrong, because [foo] is a string, so "not either a map or a string" should evaluate false, not true, but that's just me)

Pipeline worker error, the pipeline will be stopped {:pipeline_id=>"main", :error=>"Could not set field 'geo' on object '192.188.44.3' to value '{}'.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string",

Setting target => "[client][ip][geo]" means [client][ip] has to be an object, but it is a string, so you cannot create another field within it. Change your configuration to use target => "[client][geo]" or anything else except its current value.

austin0918 · June 9, 2022, 3:20am

I fixed it following your guide. Thank you for your detailed clarification.

system · July 7, 2022, 3:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.