Logstash GeoIP filter with words

Elastic Stack Logstash
1

hello!

I have a log with countries but it does not have an IP field and I would like to make a map in kibana giving a latitude and longitude to that field.

If I had an IP I would know how to do it with geoip.
Can this plugin be used with words?

Thanks in advance!

2

You cannot use a geoip filter, but you can do it. You will need an index template that maps a field as a geo_point. The default template does this for [geoip][location]. I guess you could reuse that, but I would recommend adding your own mapping.

Then use a translate filter. Get a list that maps a country to a latititude and longitude (e.g. here) and convert that into format (e.g. yml) that the translate filter can use. Note that once the mapping is in place, elasticsearch will have no problem parsing a string like "41.12,-71.34" and storing it in the geo_point field. You do not need to split that into two fields and convert them to floats.

3

First of all, thanks for the response!

Actually i have this config

filter {
    mutate {
        copy => {"fecha" => "@timestamp"}
  }

    mutate { add_field => {"lat" => "1.0" }}
    mutate { add_field => {"lon"=> "-1.0" }}
    mutate { convert => {"lat" => "float"} }
    mutate { convert => {"lon" => "float"} }

    if [cod_postal] == "01" {
      mutate {
        replace => { "lat" => "42.8351264353"}
        replace => { "lon" => "-2.72060346921"}
      }
    }
    if [cod_postal] == "02" {
      mutate {
        replace => { "lat" => "38.8254086192"}
        replace => { "lon" => "-1.98037326935"}
      }
    }
    if [cod_postal] == "03" {
      mutate {
        replace => { "lat" => "38.4786378049"}
        replace => { "lon" => "-0.568699068376"}
      }
    
    mutate { add_field => {"location" => "%{lat},%{lon}"}  }

  output {
  elasticsearch {
    hosts => ["http://xxxx:9200"]
    index => "prueba-map-%{+YYYY}"
  }
}

I created an index template with the geo_point field like this

image

when i launch logstash it index okey the fields

image

but when i try to create the map, it detect the geo_point field but doesnt print anything and give this error...

"reason": "Field [location] is of unsupported type [keyword] for [geo_bounding_box] query"

thank you!

4

finally i solved it.

Here is my config.

  mutate {convert => ["Latitude", "float"] }
  mutate {convert => ["Longitude", "float"] }


    if [cod_country] == "xxxx" 
      mutate {
        replace => { "Latitude" => "yyyyyyyyy"}
        replace => { "Longitude" => "-zzzzzzz"}
      }
    }

    mutate{
    add_field => {"geoLocation" => "%{Latitude},%{Longitude}"}
    }

and adding a new field in mapping template.

image

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.