Geoip.location field not generated

Elastic Stack Logstash
1

Hi everyone,

I'm trying to play with geoip data and I have a trouble with the field geoip.location.
According to the documentation

A [geoip][location] field is created if the GeoIP lookup returns a latitude and longitude.
ref: Geoip filter plugin | Logstash Reference [8.11] | Elastic

But if I try to check the existance of this field:

GET /_all/_search
{
     "query": {
          "exists": {
              "field": "geoip.location"
          }
    }
}
------
{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 25,
    "successful" : 25,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 0,
    "max_score" : null,
    "hits" : [ ]
  }
}

But if I search for latitude of longitude fields, I have them

GET /_all/_search
{
     "query": {
          "exists": {
              "field": "geoip.latitude"
          }
    }
}

------
{

  "hits" : {
    "total" : 3494,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "test-2019.02",
        "_type" : "doc",
        "_id" : "ZJFNqGgB8uxQXBeikvih",
        "_score" : 1.0,
        "_source" : {
          "geoip" : {
            "country_code2" : "FR",
            "longitude" : 6.3387000000000002,
            "country_code3" : "FR",
            "latitude" : 49.8582,
            "country_name" : "France"
          },
          "tags" : [ ....

I have this basic logstash configuration

geoip { 
            fields => [
                "country_code2",
                "country_code3",
                "country_name",
                "latitude",
                "longitude"
            ]
            source => "host"
        }

In my index pattern, it seems to be present ..... (the IP also, I haven in reality)

image
image1387×548 26.3 KB

So do you know where I did a mistake ?

Thanks in advance for your help :wink:

2

Hi,

The one time this happened to me, was because i did not installed the geoip plugin in the elasticsearch server. Could it be your case also?

3

My reading of the code is that location is only added if it is one the desired fields. You do not include it in your fields option, so it is not on the desired list.

1 Like
4

Hum, it's quite strange because location field seems to not be a valid option (according to the doc)

For the built-in GeoLite2 City database, the following are available: city_name , continent_code , country_code2 , country_code3 , country_name , dma_code , ip , latitude , longitude , postal_code , region_name and timezone .

So I will try all the same

5

Hi,
It seems to be installed

> /usr/share/logstash/bin/logstash-plugin list 'geoip'
logstash-filter-geoip
6

So You are write, the field is not present in the documentation but exist in the code

So there is a bug inside the documentation.
Thanks for your help :wink:

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.