Logstash GeoIP filter with words

rodri.gz · August 17, 2021, 7:43am

hello!

I have a log with countries but it does not have an IP field and I would like to make a map in kibana giving a latitude and longitude to that field.

If I had an IP I would know how to do it with geoip.
Can this plugin be used with words?

Thanks in advance!

Badger · August 17, 2021, 2:23pm

You cannot use a geoip filter, but you can do it. You will need an index template that maps a field as a geo_point. The default template does this for [geoip][location]. I guess you could reuse that, but I would recommend adding your own mapping.

Then use a translate filter. Get a list that maps a country to a latititude and longitude (e.g. here) and convert that into format (e.g. yml) that the translate filter can use. Note that once the mapping is in place, elasticsearch will have no problem parsing a string like "41.12,-71.34" and storing it in the geo_point field. You do not need to split that into two fields and convert them to floats.

rodri.gz · August 18, 2021, 9:35am

First of all, thanks for the response!

Actually i have this config

filter {
    mutate {
        copy => {"fecha" => "@timestamp"}
  }

    mutate { add_field => {"lat" => "1.0" }}
    mutate { add_field => {"lon"=> "-1.0" }}
    mutate { convert => {"lat" => "float"} }
    mutate { convert => {"lon" => "float"} }

    if [cod_postal] == "01" {
      mutate {
        replace => { "lat" => "42.8351264353"}
        replace => { "lon" => "-2.72060346921"}
      }
    }
    if [cod_postal] == "02" {
      mutate {
        replace => { "lat" => "38.8254086192"}
        replace => { "lon" => "-1.98037326935"}
      }
    }
    if [cod_postal] == "03" {
      mutate {
        replace => { "lat" => "38.4786378049"}
        replace => { "lon" => "-0.568699068376"}
      }
    
    mutate { add_field => {"location" => "%{lat},%{lon}"}  }

  output {
  elasticsearch {
    hosts => ["http://xxxx:9200"]
    index => "prueba-map-%{+YYYY}"
  }
}

I created an index template with the geo_point field like this

when i launch logstash it index okey the fields

but when i try to create the map, it detect the geo_point field but doesnt print anything and give this error...

"reason": "Field [location] is of unsupported type [keyword] for [geo_bounding_box] query"

thank you!

rodri.gz · August 23, 2021, 7:01am

finally i solved it.

Here is my config.

  mutate {convert => ["Latitude", "float"] }
  mutate {convert => ["Longitude", "float"] }


    if [cod_country] == "xxxx" 
      mutate {
        replace => { "Latitude" => "yyyyyyyyy"}
        replace => { "Longitude" => "-zzzzzzz"}
      }
    }

    mutate{
    add_field => {"geoLocation" => "%{Latitude},%{Longitude}"}
    }

and adding a new field in mapping template.

system · September 20, 2021, 7:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.