Logstash: how to use multiple geoip filter in one message

sumeet_dembra · December 3, 2015, 7:08am

Hi,

I am using two geoip filters for one message. But the output shows geoip fields only for first geoip filter.

Here is the snippet for filters:

filter {
grep {
match => ["message","^#.*"]
negate => true
}
grok {
match => ["message","%{LOGLINE}"]
patterns_dir=>["/opt/mypatterns"]
}
geoip {
source => "clientip"
fields => ["country_name", "city_name", "continent_code","country_code2"]
target => "client_geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}
geoip {
source => "ghostip"
fields => ["country_name", "city_name", "continent_code","country_code2"]
target => "ghost_geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}
}

output {
stdout { codec => rubydebug }
}

The output shows geoip fields only for first geoip input .i.e. clientip and does not show geoip fields for second geoip input i.e. ghostip.

 "clientip" => "66.249.73.186",
 "ghostip" => "23.218.157.187",
 "client_geoip" => {
     "country_code2" => "US",
      "country_name" => "United States",
    "continent_code" => "NA",
         "city_name" => "Mountain View"
},
         "name" => "Other",
           "os" => "Other",
      "os_name" => "Other",
       "device" => "Other",

....

magnusbaeck · December 3, 2015, 7:19am

The grep filter is deprecated. Use conditionals instead.

If you comment out the first geoip filter I think you'll note that the second filter still isn't able to look up 23.218.157.187. Maybe the database is outdated?

Topic		Replies	Views
GeoIP issue on logstash conf file Logstash	12	1725	August 15, 2018
Filtering multiple logs Logstash	5	1807	January 9, 2017
_geoip_lookup_failure though all geoip fields are populated Logstash	17	3025	September 12, 2019
Issues with Logstash filter ignoring logical elements Logstash	1	412	July 18, 2017
Getting geoip to work Logstash	5	1164	July 6, 2017

Logstash: how to use multiple geoip filter in one message

Related topics