Geoip.location field not generated

hannibal · March 28, 2019, 10:57am

Hi everyone,

I'm trying to play with geoip data and I have a trouble with the field geoip.location.
According to the documentation

A [geoip][location] field is created if the GeoIP lookup returns a latitude and longitude.
ref: Geoip filter plugin | Logstash Reference [8.11] | Elastic

But if I try to check the existance of this field:

GET /_all/_search
{
     "query": {
          "exists": {
              "field": "geoip.location"
          }
    }
}
------
{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 25,
    "successful" : 25,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

But if I search for latitude of longitude fields, I have them

GET /_all/_search
{
     "query": {
          "exists": {
              "field": "geoip.latitude"
          }
    }
}

------
{

  "hits" : {
    "total" : 3494,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "test-2019.02",
        "_type" : "doc",
        "_id" : "ZJFNqGgB8uxQXBeikvih",
        "_score" : 1.0,
        "_source" : {
          "geoip" : {
            "country_code2" : "FR",
            "longitude" : 6.3387000000000002,
            "country_code3" : "FR",
            "latitude" : 49.8582,
            "country_name" : "France"
          },
          "tags" : [ ....

I have this basic logstash configuration

geoip { 
            fields => [
                "country_code2",
                "country_code3",
                "country_name",
                "latitude",
                "longitude"
            ]
            source => "host"
        }

In my index pattern, it seems to be present ..... (the IP also, I haven in reality)

So do you know where I did a mistake ?

Thanks in advance for your help

pup_seba · March 28, 2019, 11:16am

Hi,

The one time this happened to me, was because i did not installed the geoip plugin in the elasticsearch server. Could it be your case also?

Badger · March 28, 2019, 12:18pm

My reading of the code is that location is only added if it is one the desired fields. You do not include it in your fields option, so it is not on the desired list.

hannibal · March 28, 2019, 1:05pm

Hum, it's quite strange because location field seems to not be a valid option (according to the doc)

For the built-in GeoLite2 City database, the following are available: city_name , continent_code , country_code2 , country_code3 , country_name , dma_code , ip , latitude , longitude , postal_code , region_name and timezone .

So I will try all the same

hannibal · March 28, 2019, 1:10pm

Hi,
It seems to be installed

> /usr/share/logstash/bin/logstash-plugin list 'geoip'
logstash-filter-geoip

hannibal · March 28, 2019, 2:23pm

So You are write, the field is not present in the documentation but exist in the code

So there is a bug inside the documentation.
Thanks for your help

system · April 25, 2019, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.