Logstash: how to use multiple geoip filter in one message

sumeet_dembra · December 3, 2015, 7:08am

Hi,

I am using two geoip filters for one message. But the output shows geoip fields only for first geoip filter.

Here is the snippet for filters:

filter {
grep {
match => ["message","^#.*"]
negate => true
}
grok {
match => ["message","%{LOGLINE}"]
patterns_dir=>["/opt/mypatterns"]
}
geoip {
source => "clientip"
fields => ["country_name", "city_name", "continent_code","country_code2"]
target => "client_geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}
geoip {
source => "ghostip"
fields => ["country_name", "city_name", "continent_code","country_code2"]
target => "ghost_geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}
}

output {
stdout { codec => rubydebug }
}

The output shows geoip fields only for first geoip input .i.e. clientip and does not show geoip fields for second geoip input i.e. ghostip.

 "clientip" => "66.249.73.186",
 "ghostip" => "23.218.157.187",
 "client_geoip" => {
     "country_code2" => "US",
      "country_name" => "United States",
    "continent_code" => "NA",
         "city_name" => "Mountain View"
},
         "name" => "Other",
           "os" => "Other",
      "os_name" => "Other",
       "device" => "Other",

....

magnusbaeck · December 3, 2015, 7:19am

The grep filter is deprecated. Use conditionals instead.

If you comment out the first geoip filter I think you'll note that the second filter still isn't able to look up 23.218.157.187. Maybe the database is outdated?

Topic		Replies	Views
Filtering multiple logs Logstash	5	1779	January 9, 2017
Multiple geoip target for source and destination Logstash	1	243	April 24, 2020
How can i set two geoip source fields? Logstash	7	419	September 4, 2018
Can we create two GeoIP Filters in one logstash config file? Logstash	17	9635	July 6, 2017
Two or more filters in Logstash Logstash	8	4517	January 16, 2020

Logstash: how to use multiple geoip filter in one message

Related topics