I would like to output just the geoip.ip field to file (just the IP address).
I have tried the following but just get errors. I think the ip is a nested field of geoip, but not sure how to extract.
file {
message_format => ["%{geoip.ip}"]
path => "/var/log/logstash/geoip_ip.%{+yyyy.MM.dd.HH}"
}
}
Did you delete the source IP that you used to generate the GeoIP object? Why do you need this field?
At any rate, you'll need to use the syntax for sub-fields:
message_format => ["%{[geoip][ip]"]
UPDATE: It appears I missed the closing curly brace: message_format => ["%{[geoip][ip]}"]
Great thanks for that! The issue I had was that there was no source IP, only source host name, which geoip converts to IP. These IP's I need in a log file for further analysis.
Except that the syntax is:
message_format => ["%{geoip[ip]}"]
Really? That shouldn't even work. sprintf field reference formatting indicates that nested references should be "%{[primary_field][subfield]}".
Can you confirm that the message_format doesn't work with "%{[geoip][ip]}" and does with "%{geoip[ip]}"?
Well, When I tried "%{[geoip][ip]}" the output file was populated with [geoip][ip] on every line. When I tried "%{geoip[ip]}" then the file contained an IP address on every line.
Now I have an issue where if geoip fails to parse the host name the the output line is geoip.ip
Is there a conditional that I can use to only output if the field geoip.ip actually contains an IP address?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.