Trying to tackle geocoding again... The public geoip lookup plugin works with IP addresses arrays now, but trying to get the private IP's geocoded isn't working well.
Tried using processors in (for example) a metricbeat yml surrounded by conditionals for private IP addresses. Examples include: (assume the indentation is correct in the actual ymls)
processors:
- add_fields
when.network.host.ip: private
fields:
host.geo.location:
lat: 11
lon: 111
target: ''
or a version using if/then like
processors:
- add_fields:
target: project
fields:
apple: e
- if:
network.host.ip: '10.0.0.0/16'
then:
- add_fields:
fields:
host.geo.location:
lat: 11
lon: -1111
target: ''
These both fail (and all the variants I could think of).
I'm guessing that the problem is host.ip is an array that contains all the private IPv4 addresses but also the IPv6 addresses that aren't really private.
What's the right way to get private machines geo located nowadays? I'm doing the public geo lookup through a pipeline, so either an addition to a geotag pipeline or a processor in a config yml would work... (But a pipeline solution woudl be preferable since I've got a bunch of beats that all get pushed through a shared one...)