Geoip on custom field

Elastic Stack Logstash
1

Hi everyone,

I'm trying to use the geoIP filter on x_forwarded_for header.
So my pipeline is quiet easy, I use an HTTP input, and try to use the field x_forwarded_for which are in headers parts for the geoip filtering.

geoip {
       fields => [
            "country_code2",
            "country_code3",
            "country_name",
            "location"
        ]
        source => "x_forwarded_for" 
   
    }

In source, I have tried %{[headers][x_forwarded_for]}" or [headers][x_forwarded_for] (I don't know the right way to access to the field ) but nothings work. Sometimes it's not compiling or sometimes, I will have _geoip_lookup_failure tag.

My rubydebug log is something like

"headers" => {
 "content_length" => "455",
 "content_type" => "application/json",
 "client_host" => "xx.xx.xx.xx",
 "http_user_agent" => nil,
 "http_version" => "HTTP/1.1",
 "request_path" => "/",
 "request_method" => "POST",
 "http_accept" => "*/*",
 "http_host" => "myhost.com",
 "x_forwarded_for" => "xx.xx.xx.xx"
 }

So do you know how I can use x_forwarded_for ?

Thanks in advance for your help

2 
source => "[headers][x_forwarded_for]"

should work if that is what your data looks like.

3

Yeah it's working :heart_eyes:
Great thanks for that.

Ps: How do you know whitch syntaxe must be used ?
(for example, I use %{[headers][x_forwarded_for]}" in cidr filter and it's working)

4

That's a good question! Some filters expect the name of a field, which would be "[headers][x_forwarded_for]", and some expect a value, which would be "%{[headers][x_forwarded_for]}". I had never noticed that distinction before. I guess you just have to follow the lead of the documentation.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.