Using LS 2.0, can't get split and/or geoip working - trying to split my xforwardfor field and pass into geoip

scumola · November 23, 2015, 7:37pm

My LS filter config line:

split {
field => "xforwardfor"
terminator => ","
}

but in kibana, I still see the field as one string

"referer": "http://www.mysite.com/",
"xforwardfor": "1.2.3.4, 5.6.7.8",
"hostname": "myhostname",

I tried deleting all of the indices using curator just in case there was a mapping conflict, but it didn't seem to help.

I didn't see an errors in logstash or elasticsearch logs

I'm also trying to pass this into geoip, but first things first - to split the string...

my geoip filter config:

geoip {
source => "xforwardfor"
target => "geoip"
database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
}

geoip and geoip.location are of type geo_point but don't get populated with anything.

I'm using the latest ELK stack as of Nov 20, 2015 (ES 2.0.0, LS 2.0.0-1, KIBANA 4.2.1)

scumola · November 23, 2015, 7:46pm

Even xforwardfor headers with only a single IP aren't getting geoip location strings. Screengrab:

scumola · November 23, 2015, 9:22pm

You know what, nevermind. You can close this issue.

I was using fluentd to pipe logs into ELK, but I figured out that fluentd just ships logs directly into elasticsearch and bypasses logstash altogether. This is why things in my logstash config made no difference. Sorry for the bandwidth.

Topic		Replies	Views
Logstash 2.1.0 Geoip Filter Logstash	2	612	July 6, 2017
Logstash GeoIP filter (Tile map) Logstash	2	1246	July 6, 2017
Kibana: No Compatible Fields - GEOIP Kibana	2	388	November 19, 2018
ELK 5.2.1 - still can't get geoip working Logstash	18	2476	May 8, 2017
Elastic Tile Service - how tos Kibana	5	1073	August 16, 2016

Using LS 2.0, can't get split and/or geoip working - trying to split my xforwardfor field and pass into geoip

Related topics