Output of geoip filter changed in logstash 5.4.2 (no more GeoJSON)

Hello,

I'm testing logstash 5.4.2 in my staging env and I've noticed that output of geoip plugins has changes. Instead of GeoJSON output, like I had in 5.4.1

    "location": [
      -122.3042,
      47.913
    ],

I now get a hash of lat / lon.

    "location": {
      "lat": 47.913,
      "lon": -122.3042
    },

My geoip configuration looks like this:

    geoip {
      source => [ "src_ip" ]
      fields => [ "country_code2", "country_name", "latitude", "longitude", "location" ]
    }

I looked at release notes and github history and didn't find where this changed.

Is this expected behaviour or did I do something wrong?

Looking as logstash differences between 5.4.1 and 5.4.2, I noticed geoip filter was updated from 4.0.4 to 4.1.1.

I'm looking at the geoip changelog, but I'm not good in ruby, so I'm not sure which part changes behaviour.

I think the problem is here: https://github.com/logstash-plugins/logstash-filter-geoip/commit/ec18789d42302eebb3b775ad5c49fb9aba394d40#diff-0db10ce49673bb86356e5398c93ad8b3R257

Logstash generates location hash here instead of an array, like GeoJSON should have.

Old code: https://github.com/logstash-plugins/logstash-filter-geoip/commit/ec18789d42302eebb3b775ad5c49fb9aba394d40#diff-0ceaeedc6497c6d61fa5ae1d2db1dc58L212

I looked at ES documentation and saw that it can take hash as geopoint type as well: https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

All is good.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.