This part is fairly simple. Something like this (which I have not tested):
ruby {
code => '
data = event.get("[dns][answers][data]")
if data
event.set("[dns][answers][data_ip]", data.delete_if { |x| ! x.match(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) } )
end
'
}
However, if passed an array a geoip filter only parses the first entry. One possibility would be to split on the data_ip array so that you have multiple events, call geoip, then aggregate them. Something similar to this.