Logstash - line string - Geoshape

Raj_Kumar · June 6, 2019, 12:59pm

Hi There,

Could anyone help me to add a new field called geolocalisation which includes source and destination coordinates .

like

"coordinates" : [[-77.03653, 38.897676], [-77.009051, 38.889939]]

Write now I use this filter to have separately source and destination and now I want to combine both source coordinates and destination coordinates in a single field

filter {
if [type] == "netflow_cisco" {
geoip {
source => "[netflow][ipv4_src_addr]"
target => "src_geoip"
add_field => [ "[geoip][coordinates]", "%{[src_geoip][latitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[src_geoip][longitude]}" ]
periodic_flush => "true"
}
geoip {
source => "[netflow][ipv4_dst_addr]"
target => "dst_geoip"
add_field => [ "[geoip][coordinates]", "%{[dst_geoip][latitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[dst_geoip][longitude]}" ]
periodic_flush => "true"
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}

Thanks,
Raj

Raj_Kumar · June 11, 2019, 10:25am

Any help please ?

Badger · June 11, 2019, 2:09pm

Does this help?

Raj_Kumar · June 12, 2019, 7:49am

Thank your help and reply, sorry if my question is silly.Actually am using this geo coordinate fro my netflow traffic ,in that case how to use a specific coordinates as you have specified (-87.623171, 41.881832), because i was confused in netflow traffic i could see multiple coordinates (source and destination)

mutate {
    add_field => {
        "[geo_link][type]" =>  "linestring"
    }
}
ruby {
    code => '
        event.set("[geo_link][coordinates]", [[ -87.623171, 41.881832], [ -87.623177, 41.881833]])
    '
}

Badger · June 12, 2019, 1:04pm

How about

    ruby {
        code => 'event.set("[geoip][coordinates]", [ event.get("[src_geoip][latitude]"), event.get("[src_geoip][longitude]") ] )'
    }

Raj_Kumar · June 13, 2019, 9:34am

thank you for the reply but i would like to include both source and destination in same field, how to do it like

"geolocalisation" : "[[53.3338,-6.2488], [55.6572,12.4736]]",

something like this

[[{{src_geoip.latitude}},{{src_geoip.longitude}}], [{{dst_geoip.latitude}},{{dst_geoip.longitude}}]]"

but i dont know how to put it in ruby

What am trying to achieve - is to make line string type with geo shape for this field geolocalisation

Raj_Kumar · June 13, 2019, 1:03pm

Hi Badger ,

I Tried like this

filter {
if [type] == "netflow_cisco" {
mutate {
add_field => {
"[geo_link][type]" => "linestring"
}
}
ruby {
code => 'event.set("[geoip][coordinates]", [[ event.get("[src_geoip][latitude]"), event.get("[src_geoip][longitude]") ],[ event.get("[dst_geoip][latitude]"), event.get("[dst_geoip][longitude]") ]] )'
}
}
}

I get error like this

[WARN ] 2019-06-13 15:00:20.309 [[main]>worker1] elasticsearch - Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"logstash_netflow-2019.06.13", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0xd5fa261], :response=>{"index"=>{"_index"=>"logstash_netflow-2019.06.13", "_type"=>"_doc", "_id"=>"R_XsUGsBik9o9Vi0uyTI", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [geo_link] of type [text] in document with id 'R_XsUGsBik9o9Vi0uyTI'", "caused_by"=>{"type"=>"illegal_state_exception", "reason"=>"Can't get text on a START_OBJECT at 1:103"}}}}}

Badger · June 13, 2019, 3:43pm

I would expect the elasticsearch logs to have a more informative error message.

system · July 11, 2019, 3:43pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No geopoint for destination.ip but latitude and longitude field - 7.10 Logstash	4	396	December 29, 2020
Geo_point in logstash Logstash	3	307	March 15, 2021
Logstash problems with fields (Point to Point) Logstash	3	249	July 29, 2021
Combining Field Values Into New Field Logstash	3	599	March 18, 2018
Mapping field as geo_point Logstash	3	1539	December 29, 2020

Logstash - line string - Geoshape

Related topics