How can i set two geoip source fields?

hello,

i have two geoip sources the first is "clientip" and the second is "clientip_e"
so i use this syntax but nothing #it's error!!!

geoip{

source => {"clientip"
}

}
geoip{

source => {"clientip_e"
}

}

how can i do ???

Hi @med_amine,

first, just FYI, it is much easier to read the config if you format it as Preformated text :slight_smile:

Do you get any error messages?

source => {"clientip"
}

Remove the braces.

But i have two fields which are the sources ,so what is the syntax to set two sources : clentip and clientip_e

Try

geoip {
  source => "clientip"
}
geoip {
  source => "clientip_e"
}

Looks like you can only have one source per geoip filter https://www.elastic.co/guide/en/logstash/6.3/plugins-filters-geoip.html#plugins-filters-geoip-source

If that does not work you can probably use a couple of ifs

But what is Logstash supposed to do with these fields? Will only one of them be populated at a time (and the parsed result should be stored in one field) or do you want it to always process both source fields and store the results in different fields?

thks it turns right now !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.