Output of geoip filter changed in logstash 5.4.2 (no more GeoJSON)

matejzero · June 28, 2017, 8:35pm

Hello,

I'm testing logstash 5.4.2 in my staging env and I've noticed that output of geoip plugins has changes. Instead of GeoJSON output, like I had in 5.4.1

    "location": [
      -122.3042,
      47.913
    ],

I now get a hash of lat / lon.

    "location": {
      "lat": 47.913,
      "lon": -122.3042
    },

My geoip configuration looks like this:

    geoip {
      source => [ "src_ip" ]
      fields => [ "country_code2", "country_name", "latitude", "longitude", "location" ]
    }

I looked at release notes and github history and didn't find where this changed.

Is this expected behaviour or did I do something wrong?

matejzero · June 29, 2017, 11:26am

Looking as logstash differences between 5.4.1 and 5.4.2, I noticed geoip filter was updated from 4.0.4 to 4.1.1.

I'm looking at the geoip changelog, but I'm not good in ruby, so I'm not sure which part changes behaviour.

matejzero · June 29, 2017, 11:41am

I think the problem is here: https://github.com/logstash-plugins/logstash-filter-geoip/commit/ec18789d42302eebb3b775ad5c49fb9aba394d40#diff-0db10ce49673bb86356e5398c93ad8b3R257

Logstash generates location hash here instead of an array, like GeoJSON should have.

Old code: https://github.com/logstash-plugins/logstash-filter-geoip/commit/ec18789d42302eebb3b775ad5c49fb9aba394d40#diff-0ceaeedc6497c6d61fa5ae1d2db1dc58L212

matejzero · June 30, 2017, 10:01am

I looked at ES documentation and saw that it can take hash as geopoint type as well: https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

All is good.

system · July 28, 2017, 10:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.