I noticed that the naming conventions between the kibana region map and the logstash geoip plugin aren't the same. And when i try to visualize my data i get errors from the region map telling me that it can't find "Republic of Korea", because it's named "Korea, Republic of" on the region map.
So i'm trying to use the mutate filter to change the geoip.country_name for odd cases like those.
Here's my filter config:
filter {
if [type] == "ossec_alert_log" {
json {
source => "message"
}
geoip {
source => "srcip"
}
}
else if [type] == "nginx_access_log" {
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{NGINX_ACCESS}" }
remove_tag => ["_grokparsefailure"]
add_tag => ["nginx_access"]
}
geoip {
source => "clientip"
}
}
if [geoip][country_name] == "Republic of Korea" {
mutate {
replace => { "%{[geoip][country_name]}" => "Korea, Republic of" }
}
}
}
As you can see i try to replace Republic of Korea with Korea, Republic of, but the logs in Kibana still say Republic of Korea.