Only invoke geoip if field is IP

Khoa_Nguyen1 · July 10, 2015, 2:50pm

How do I conditionally invoke geoip if the field is a valid IP address?

magnusbaeck · July 10, 2015, 5:23pm

Use a conditional.

if [fieldname] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ {
  geoip {
    ...
  }
}

Not the best and most stringent expression for validating IPv4 addresses but you get the idea.

Khoa_Nguyen1 · July 10, 2015, 5:54pm

Thanks for your input. I realize grok has patterns for IP (IPv4 or IPv6) already. Can I do this:

grok {
    match => { "clientIP" => "%{IP:validIP}" }
}

geoip {
    source => "validIP"
    remove_field => "validIP"
}

Thanks

magnusbaeck · July 10, 2015, 7:36pm

Yes, but you probably want to disable the _grokparsefailure tag (tag_on_failure parameter to grok IIRC). I'm assuming the geoip filter behaves nicely when the field named in source doesn't exist.

Topic		Replies	Views
Matching ip address Logstash	5	589	March 20, 2023
Conditional filtering by source with IP addresses Logstash	7	6973	April 11, 2017
How to filter out internal IPs and localhost.localdomain for geoip? Logstash	10	5189	May 31, 2017
If field == IPv6 assign a different value Logstash	1	158	May 25, 2021
Ignore plugin error Logstash	3	1275	July 6, 2017

Only invoke geoip if field is IP

Related Topics