Hi,
I would like to use geoip processor on the ingest node to process multiple fields, fr e.g.:
ip
source.ip
dest.ip
and any other IP related field which I may come across.
How can I create a pipeline which would utilize geoip ingest plugin to process multiple fields?
In order to accomplish this, you can simply have 3 consecutive geoip filters. Here's what we're doing with our normalized firewall and bro events:
if "fw" in [tags] or "bro" in [tags] {
geoip {
cache_size => 2000
source => "DvcIp"
target => "[GeoIPs][DvcIp]"
fields => ["city_name", "country_code2", "country_code3", "country_name", "location", "postal_code", "region_code"]
}
geoip {
cache_size => 2000
source => "SrcIp"
target => "[GeoIPs][SrcIp]"
fields => ["city_name", "country_code2", "country_code3", "country_name", "location", "postal_code", "region_code"]
}
geoip {
cache_size => 2000
source => "DstIp"
target => "[GeoIPs][DstIp]"
fields => ["city_name", "country_code2", "country_code3", "country_name", "location", "postal_code", "region_code"]
}
}Mike, Thank you for repsponse - looks like you are doing this on Logstash. I would like to do it on Ingest node but can get two geoip keys there - like this
PUT _ingest/pipeline/geoip-info
{
"description": "Add geoip info",
"processors": [
{
"geoip": {
"field": "ip",
"target_field": "client.geo",
"ignore_failure": true
},
"geoip": {
"field": "source.ip",
"target_field": "sourceip.geo",
"ignore_failure": true
}
}
]
}
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.