Only invoke geoip if field is IP

Khoa_Nguyen1 · July 10, 2015, 2:50pm

How do I conditionally invoke geoip if the field is a valid IP address?

magnusbaeck · July 10, 2015, 5:23pm

Use a conditional.

if [fieldname] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ {
  geoip {
    ...
  }
}

Not the best and most stringent expression for validating IPv4 addresses but you get the idea.

Khoa_Nguyen1 · July 10, 2015, 5:54pm

Thanks for your input. I realize grok has patterns for IP (IPv4 or IPv6) already. Can I do this:

grok {
    match => { "clientIP" => "%{IP:validIP}" }
}

geoip {
    source => "validIP"
    remove_field => "validIP"
}

Thanks

magnusbaeck · July 10, 2015, 7:36pm

Yes, but you probably want to disable the _grokparsefailure tag (tag_on_failure parameter to grok IIRC). I'm assuming the geoip filter behaves nicely when the field named in source doesn't exist.