IP arrays break network conditionals?

Trying to tackle geocoding again... The public geoip lookup plugin works with IP addresses arrays now, but trying to get the private IP's geocoded isn't working well.

Tried using processors in (for example) a metricbeat yml surrounded by conditionals for private IP addresses. Examples include: (assume the indentation is correct in the actual ymls)

processors: 
  - add_fields
      when.network.host.ip: private
      fields: 
          host.geo.location:
           lat: 11
           lon: 111
      target: ''

or a version using if/then like

  processors:
    - add_fields:
        target: project
        fields:
          apple: e
    - if:
        network.host.ip: '10.0.0.0/16'
      then:
        - add_fields:
            fields:
              host.geo.location:
                lat: 11
                lon: -1111
            target: ''

These both fail (and all the variants I could think of).

I'm guessing that the problem is host.ip is an array that contains all the private IPv4 addresses but also the IPv6 addresses that aren't really private.

What's the right way to get private machines geo located nowadays? I'm doing the public geo lookup through a pipeline, so either an addition to a geotag pipeline or a processor in a config yml would work... (But a pipeline solution woudl be preferable since I've got a bunch of beats that all get pushed through a shared one...)

Does anyone have an actually-functional geoip tagging pipeline they want to share?

There are many older ones that either don't work at all or only 'kinda' work posted over there years...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.