How to derive APM Source IP for Logstash Geoip

server
(Ronald Tumulak) #1

Elastic version: 7.0.1 (Docker)
Elastic Components: Elasticsearch, Logstash, APM Server, Kibana

We have the geoip filter pipeline in Elastic, but decided to move it to Logstash to help share the load and reduce overhead on Elastic.

However, we are having problems deriving the source IP from a RUM request in Logstash. We have tried srcip, sourceip, clientip, client.ip and others but are failing miserably.

We're pretty sure it's something simple but are currently stumped and couldn't see any reference for it. Any help on this would be greatly appreciated.

TIA!

(Gil Raphaelli) #2

Hi again @digitalron, client.ip should be the right field. Does your configuration include something like this?

filter {
  geoip {
    source => "[client][ip]"
  }
}

If that doesn't get you on your way, please share your logstash configuration and steps to verify that it's failing. Also note if there is a tag_on_failure present.

(Ronald Tumulak) #3

Hi Gil, many thanks for that. That is indeed how we configured our logstash.conf and it is working now. After a lot of re-checks, we found out that we inadvertently got a non-printing whitespace character in between [client] and [ip] inserted on our reference file, causing the pipeline crash whenever we did a copy-paste from it. This can be closed now. Cheers!