logstash - Kibana中的geoip无法使用IP地址显示任何信息

时间:2014-08-21 16:23:57

标签: elasticsearch logstash geoip kibana

我想显示使用ElasticSearch,Kibana和Logstash在世界地图中访问我的应用的用户数。

这是我的日志(Json格式):

{
  "device": "",
  "public_ip": "70.90.17.210",
  "mac": "00:01:02:03:04:05",
  "ip": "192.16.1.10",
  "event": {
    "timestamp": "2014-08-15T00:00:00.000Z",
    "source": "system",
    "name": "status"
  },
  "status": {
    "channel": "channelname",
    "section": "pictures",
    "downlink": 1362930,
    "network": "Wi-Fi"
  }
}

这是我的配置文件:

input {
  file { 
    path => ["/mnt/logs/stb.events"]
    codec => "json" 
    type => "event" 
  }
}
filter {
    date    {
        match => [ "timestamp", "yyyy-MM-dd HH:mm:ss", "ISO8601" ]
    }
}

filter {
    mutate  {
        convert => [ "downlink", "integer" ]
    }
}
filter {
    geoip {
      add_tag => [ "geoip" ]
      database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat" 
      source => "public_ip"
      target => "geoip"
      add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
      add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
          }
    mutate {
      convert => [ "[geoip][coordinates]", "float" ]
    }
}
output { 
  elasticsearch {
    host => localhost
  }
}

在Kibana的最后,我只看到一个空的geoip标签

有人可以帮助我并指出我的错误在哪里吗?

1 个答案:

答案 0 :(得分:2)

从Logstash 1.3.0开始,您可以使用自动创建的geoip.location字段,而不是创建坐标字段并将其手动转换为浮点数。

您的日志中似乎缺少一个大括号,我想这是正确的格式:

{
    "device": {
        "public_ip": "70.90.17.210",
        "mac": "00:01:02:03:04:05",
        "ip": "192.16.1.10"
    },
    "event": {
        "timestamp": "2014-08-15T00:00:00.000Z",
        "source": "system",
        "name": "status"
    },
    "status": {
        "channel": "channelname",
        "section": "pictures",
        "downlink": 1362930,
        "network": "Wi-Fi"
    }
}

在这种情况下,我建议你为过滤器尝试以下配置(没有mutate):

filter {
    geoip {
        source => "[device][public_ip]"
    }
}

然后你应该可以使用" geoip.location"在你的地图中。我做了一些研究和调试,发现为了正确解决,嵌套字段在用作源时应该被[]包围。

相关问题
最新问题