Logstash: how to use multiple geoip filter in one message


(sumeet dembra) #1

Hi,

I am using two geoip filters for one message. But the output shows geoip fields only for first geoip filter.

Here is the snippet for filters:

filter {
grep {
match => ["message","^#.*"]
negate => true
}
grok {
match => ["message","%{LOGLINE}"]
patterns_dir=>["/opt/mypatterns"]
}
geoip {
source => "clientip"
fields => ["country_name", "city_name", "continent_code","country_code2"]
target => "client_geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}
geoip {
source => "ghostip"
fields => ["country_name", "city_name", "continent_code","country_code2"]
target => "ghost_geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}
}

output {
stdout { codec => rubydebug }
}

The output shows geoip fields only for first geoip input .i.e. clientip and does not show geoip fields for second geoip input i.e. ghostip.

 "clientip" => "66.249.73.186",
 "ghostip" => "23.218.157.187",
 "client_geoip" => {
     "country_code2" => "US",
      "country_name" => "United States",
    "continent_code" => "NA",
         "city_name" => "Mountain View"
},
         "name" => "Other",
           "os" => "Other",
      "os_name" => "Other",
       "device" => "Other",

....


(Magnus B├Ąck) #2

The grep filter is deprecated. Use conditionals instead.

If you comment out the first geoip filter I think you'll note that the second filter still isn't able to look up 23.218.157.187. Maybe the database is outdated?


(system) #3