Using the Geoip Processor in a Pipeline
editUsing the Geoip Processor in a Pipeline
editTable 2. Geoip options
Name | Required | Default | Description |
---|---|---|---|
|
yes |
- |
The field to get the ip address from for the geographical lookup. |
|
no |
geoip |
The field that will hold the geographical information looked up from the Maxmind database. |
|
no |
GeoLite2-City.mmdb |
The database filename in the geoip config directory. The ingest-geoip plugin ships with the GeoLite2-City.mmdb, GeoLite2-Country.mmdb and GeoLite2-ASN.mmdb files. |
|
no |
[ |
Controls what properties are added to the |
|
no |
|
If |
*Depends on what is available in database_field
:
-
If the GeoLite2 City database is used, then the following fields may be added under the
target_field
:ip
,country_iso_code
,country_name
,continent_name
,region_iso_code
,region_name
,city_name
,timezone
,latitude
,longitude
andlocation
. The fields actually added depend on what has been found and which properties were configured inproperties
. -
If the GeoLite2 Country database is used, then the following fields may be added under the
target_field
:ip
,country_iso_code
,country_name
andcontinent_name
. The fields actually added depend on what has been found and which properties were configured inproperties
. -
If the GeoLite2 ASN database is used, then the following fields may be added under the
target_field
:ip
,asn
, andorganization_name
. The fields actually added depend on what has been found and which properties were configured inproperties
.
Here is an example that uses the default city database and adds the geographical information to the geoip
field based on the ip
field:
PUT _ingest/pipeline/geoip { "description" : "Add geoip info", "processors" : [ { "geoip" : { "field" : "ip" } } ] } PUT my_index/_doc/my_id?pipeline=geoip { "ip": "8.8.8.8" } GET my_index/_doc/my_id
Which returns:
{ "found": true, "_index": "my_index", "_type": "_doc", "_id": "my_id", "_version": 1, "_seq_no": 55, "_primary_term": 1, "_source": { "ip": "8.8.8.8", "geoip": { "continent_name": "North America", "country_iso_code": "US", "location": { "lat": 37.751, "lon": -97.822 } } } }
Here is an example that uses the default country database and adds the
geographical information to the geo
field based on the ip
field`. Note that
this database is included in the plugin download. So this:
PUT _ingest/pipeline/geoip { "description" : "Add geoip info", "processors" : [ { "geoip" : { "field" : "ip", "target_field" : "geo", "database_file" : "GeoLite2-Country.mmdb" } } ] } PUT my_index/_doc/my_id?pipeline=geoip { "ip": "8.8.8.8" } GET my_index/_doc/my_id
returns this:
{ "found": true, "_index": "my_index", "_type": "_doc", "_id": "my_id", "_version": 1, "_seq_no": 65, "_primary_term": 1, "_source": { "ip": "8.8.8.8", "geo": { "continent_name": "North America", "country_iso_code": "US", } } }
Not all IP addresses find geo information from the database, When this
occurs, no target_field
is inserted into the document.
Here is an example of what documents will be indexed as when information for "80.231.5.0" cannot be found:
PUT _ingest/pipeline/geoip { "description" : "Add geoip info", "processors" : [ { "geoip" : { "field" : "ip" } } ] } PUT my_index/_doc/my_id?pipeline=geoip { "ip": "80.231.5.0" } GET my_index/_doc/my_id
Which returns:
{ "_index" : "my_index", "_type" : "_doc", "_id" : "my_id", "_version" : 1, "_seq_no" : 71, "_primary_term": 1, "found" : true, "_source" : { "ip" : "80.231.5.0" } }
Recognizing Location as a Geopoint
editAlthough this plugin enriches your document with a location
field containing
the estimated latitude and longitude of the IP address, this field will not be
indexed as a geo_point
type in Elasticsearch without explicitely defining it
as such in the mapping.
You can use the following mapping for the example index above:
PUT my_ip_locations { "mappings": { "_doc": { "properties": { "geoip": { "properties": { "location": { "type": "geo_point" } } } } } } }
Node Settings
editThe geoip processor supports the following setting:
-
ingest.geoip.cache_size
-
The maximum number of results that should be cached. Defaults to
1000
.
Note that these settings are node settings and apply to all geoip processors, i.e. there is one cache for all defined geoip processors.