My JSON log looks like this:
{
"ns_records": [{
"nsip": "208.84.0.53",
"nsname": "ns1.msft.net"
}, {
"nsip": "208.84.2.53",
"nsname": "ns2.msft.net"
}],
"domain": "mx1.hotmail.com",
"country_iso": "US",
"ip": "65.54.188.72"
}
Wanted to add geo information for both 'ip' as well as nsip's. How do I loop through all nsip's and add geoip within ns_records? If I manually give array index it works but number of elements within ns_records is variable. My logstatsh config:
input { stdin { codec => "json" } }
filter {
mutate {
remove_field => [ "@timestamp", "@version", "host", "tags" ]
}
if [ip] {
geoip {
source => "ip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
fields => ["country_code3","city_name", "postal_code","real_region_name", "latitude", "longitude", "location"]
}
}
if [ns_records][nsip] {
geoip {
source => "[ns_records][0][nsip]"
target => "[ns_records][0][nsgeoip]"
database => "/etc/logstash/GeoLiteCity.dat"
fields => ["country_code3","city_name", "postal_code","real_region_name", "latitude", "longitude", "location"]
}
}
}
output { stdout { codec => "rubydebug" } }
The response looks like this:
{
"ns_records" => [
[0] {
"nsip" => "208.84.0.53",
"nsname" => "ns1.msft.net",
"nsgeoip" => {
"country_code3" => "USA",
"city_name" => "Redmond",
"postal_code" => "98052",
"latitude" => 47.68010000000001,
"longitude" => -122.1206,
"real_region_name" => "Washington",
"location" => [
[0] -122.1206,
[1] 47.68010000000001
]
}
},
[1] {
"nsip" => "208.84.2.53",
"nsname" => "ns2.msft.net"
],
"domain" => "mx1.hotmail.com",
"ip" => "65.54.188.72",
"country_iso" => "US",
"geoip" => {
"country_code3" => "USA",
"city_name" => "San Jose",
"postal_code" => "95103",
"latitude" => 37.33940000000001,
"longitude" => -121.89500000000001,
"real_region_name" => "California",
"location" => [
[0] -121.89500000000001,
[1] 37.33940000000001
]
}
}
}