How can I remove unwanted parameters in logstash geoip

ruranga · January 20, 2020, 6:53am

Hi,
Actually I don't need following parameters in logstash geoip out put
geoip.city_name
geoip.continent_code
geoip.dma_code
geoip.ip
geoip.latitude
geoip.location.lat
geoip.location.lon
geoip.longitude
geoip.postal_code
geoip.region_code
geoip.region_name
geoip.timezone

I only need
geoip.country_code2
geoip.country_code3
geoip.country_name

how can i perform this in logstash filter{}

Thanks in adavcne!

Fabio-sama · January 20, 2020, 2:37pm

Hi there,

you can either remove the unwanted fields, like:

filter {
  mutate {
    remove_field => [ "[geoip][city_name]", "[geoip][continent_code]" ...]
  }
}

or saving the values you're interested in in another field, replace the geoip field with this new one, and then remove the new field like:

filter {
  mutate {
    copy => { "[geoip][city_name]" => "[new_geoip][city_name]" }
    copy => { "[geoip][code1]" => "[new_geoip][code1]" }
    copy => { "[new_geoip]" => "[geoip]" }
    remove_field => [ "[new_geoip]" ]
  }
}

Guess it depends on how many fields you want to keep out of how many they are in total.

Topic		Replies	Views
Adding GeoIP using logstash Logstash	3	1118	July 6, 2017
Logstash mutate filter Logstash	9	1843	July 6, 2017
ELK-5.0 Logstash geoip filter target "geoip", unable to remove fields Logstash	2	663	December 20, 2016
Remove raw fields from geoip? Logstash	5	2515	July 6, 2017
How to remove IP-address from elasticsearch submission after geoip parses it? Logstash	3	1410	July 20, 2017

How can I remove unwanted parameters in logstash geoip

Related topics