There no grok ,geoip information

Joe_Yang · August 3, 2017, 3:58am

We followed this link to configure elasticsearch, filebeat and logslash(https://www.elastic.co/guide/en/logstash/5.4/advanced-pipeline.html), but there's no ip and geo information after running curl as follows, any advice would be appreciated:

$curl -XGET 'localhost:9200/filebeat-2017.08.03/_search?pretty&q=response=200'
{
"took" : 5,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 98,
"max_score" : 2.6682286,
"hits" : [
{
"_index" : "filebeat-2017.08.03",
"_type" : "doc",
"_id" : "AV2l5-Qn6HWgZDLXJmSK",
"_score" : 2.6682286,
"_source" : {
"@timestamp" : "2017-08-03T02:23:38.010Z",
"beat" : {
"hostname" : "164mysqlmove",
"name" : "164mysqlmove",
"version" : "5.5.1"
},
"input_type" : "log",
"message" : "83.149.9.216 - - [04/Jan/2015:05:13:45 +0000] "GET /presentations/logstash-monitorama-2013/images/frontend-response-codes.png HTTP/1.1" 200 52878 "http://semicomplete.com/presentations/logstash-monitorama-2013/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"",
"offset" : 2932,
"source" : "/home/mysqlmove/logstash-5.5.1/logstash-tutorial.log",
"type" : "log"
}

$ curl -XGET 'localhost:9200/filebeat-2017.08.03/_search?pretty&q=geoip.city_name=Buffalo'
{
"took" : 22,
"timed_out" : false,
"_shards" : {
"total" : 5,
"successful" : 5,
"failed" : 0
},
"hits" : {
"total" : 0,
"max_score" : null,
"hits" : [ ]
}
}

warkolm · August 3, 2017, 4:17am

So you setup the filebeat and logstash configs?

Joe_Yang · August 3, 2017, 6:03am

yes, but there's no ip and geo info. from the output ...

warkolm · August 3, 2017, 8:54am

What's the output from Logstash then?
Can you "GET" a single doc and show the entire thing?

Joe_Yang · August 3, 2017, 10:05am

Thanks for your prompt response, could you paste a command on How to “GET” a single doc ?

warkolm · August 3, 2017, 10:09am

curl -XGET localhost:9200/filebeat-2017.08.03/doc/AV2l5-Qn6HWgZDLXJmSK

Joe_Yang · August 4, 2017, 2:24pm

curl -XGET localhost:9200/filebeat-2017.08.03/doc/AV2l5-Qn6HWgZDLXJmSK
{"_index":"filebeat-2017.08.03","_type":"doc","_id":"AV2l5-Qn6HWgZDLXJmSK","_version":1,"found":true,"_source":{"@timestamp":"2017-08-03T02:23:38.010Z","beat":{"hostname":"164mysqlmove","name":"164mysqlmove","version":"5.5.1"},"input_type":"log","message":"83.149.9.216 - - [04/Jan/2015:05:13:45 +0000] "GET /presentations/logstash-monitorama-2013/images/frontend-response-codes.png HTTP/1.1" 200 52878 "http://semicomplete.com/presentations/logstash-monitorama-2013/\" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36"","offset":2932,"source":"/home/mysqlmove/logstash-5.5.1/logstash-tutorial.log","type":"log"}}mysqlmove@164mysqlmove:~/logstash-5.5.1$

warkolm · August 4, 2017, 10:48pm

Try adding ?pretty to the end, it'll make it easier to read.

system · September 1, 2017, 10:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.