Trying to tackle geocoding again... The public geoip lookup plugin works with IP addresses arrays now, but trying to get the private IP's geocoded isn't working well.
Tried using processors in (for example) a metricbeat yml surrounded by conditionals for private IP addresses. Examples include: (assume the indentation is correct in the actual ymls)
processors: - add_fields when.network.host.ip: private fields: host.geo.location: lat: 11 lon: 111 target: ''
or a version using if/then like
processors: - add_fields: target: project fields: apple: e - if: network.host.ip: '10.0.0.0/16' then: - add_fields: fields: host.geo.location: lat: 11 lon: -1111 target: ''
These both fail (and all the variants I could think of).
I'm guessing that the problem is host.ip is an array that contains all the private IPv4 addresses but also the IPv6 addresses that aren't really private.
What's the right way to get private machines geo located nowadays? I'm doing the public geo lookup through a pipeline, so either an addition to a geotag pipeline or a processor in a config yml would work... (But a pipeline solution woudl be preferable since I've got a bunch of beats that all get pushed through a shared one...)