Only invoke geoip if field is IP

Khoa_Nguyen1 · July 10, 2015, 2:50pm

How do I conditionally invoke geoip if the field is a valid IP address?

magnusbaeck · July 10, 2015, 5:23pm

Use a conditional.

if [fieldname] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/ {
  geoip {
    ...
  }
}

Not the best and most stringent expression for validating IPv4 addresses but you get the idea.

Khoa_Nguyen1 · July 10, 2015, 5:54pm

Thanks for your input. I realize grok has patterns for IP (IPv4 or IPv6) already. Can I do this:

grok {
    match => { "clientIP" => "%{IP:validIP}" }
}

geoip {
    source => "validIP"
    remove_field => "validIP"
}

Thanks

magnusbaeck · July 10, 2015, 7:36pm

Yes, but you probably want to disable the _grokparsefailure tag (tag_on_failure parameter to grok IIRC). I'm assuming the geoip filter behaves nicely when the field named in source doesn't exist.

Topic		Replies	Views
Matching ip address Logstash	5	603	March 20, 2023
Do Grok patterns have a place in the if =~ conditional matching? Logstash	3	5924	July 6, 2017
IP Field contained invalid IP address or hostname with geoip filter Logstash	5	2794	July 6, 2017
Conditional filtering by source with IP addresses Logstash	7	6999	April 11, 2017
How to filter out internal IPs and localhost.localdomain for geoip? Logstash	10	5192	May 31, 2017

Only invoke geoip if field is IP

Related topics