Logstash geoip不适合我

Question

我正在尝试使用elasticsearch和logstash并获取geoip位置过滤器。我有一些日志文件，其中grok过滤器正在工作，但geoip过滤器无法正常工作。 我的conf文件是

input {

  stdin { }
}

filter { 

        grok {
                match => [ 
                            "message" , "%{IP:ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:verb} %{DATA:request}/%{UUID:tenant}\/%{WORD:ren}\/%{WORD:rem}\/%{WORD:component}?%{DATA:rest}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" 
                        ]
        }
        geoip {
          source => "ip"
        }

}
output {
   stdout{codec => rubydebug }
}

当我运行时

C:\A1-Kapil\B9-ELK\logstash\bin>logstash -f sample2.conf -l test.log --verbose
io/console not supported; tty will not be manipulated
Sending logstash logs to test.log.
10.45.32.9 - - [06/Jul/2014:06:44:35 -0700] "GET /NSDServices/odata/DiscoveryCon
fig?$format=JSON HTTP/1.1" 200 1556 0.020
{
       "message" => "10.45.32.9 - - [06/Jul/2014:06:44:35 -0700] \"GET /NSDServi
ces/odata/DiscoveryConfig?$format=JSON HTTP/1.1\" 200 1556 0.020\r",
      "@version" => "1",
    "@timestamp" => "2015-10-31T06:02:34.372Z",
          "host" => "LKUMAK7W7HYD",
            "ip" => "10.45.32.9",
         "ident" => "-",
          "auth" => "-",
     "timestamp" => "06/Jul/2014:06:44:35 -0700",
    "rawrequest" => "GET /NSDServices/odata/DiscoveryConfig?$format=JSON HTTP/1.
1",
      "response" => "200",
         "bytes" => "1556"
}

你可以看到我正在获取ip，但没有获得geoip字段......

同时如果我使用此conf文件：

input
{
   stdin { }
}

filter
{
   grok { match => ['message', '%{IP:ip}' ] }
   geoip
   {
     source => "ip"
   }
}

output
{
  stdout { codec => rubydebug }
}

如果我运行此操作获得正确的输出

C:\A1-Kapil\B9-ELK\logstash\bin>logstash -f sample2.conf -l test.log --verbose
io/console not supported; tty will not be manipulated
Sending logstash logs to test.log.
8.8.8.8
{
       "message" => "8.8.8.8\r",
      "@version" => "1",
    "@timestamp" => "2015-10-31T05:57:10.252Z",
          "host" => "LKUMAK7W7HYD",
            "ip" => "8.8.8.8",
         "geoip" => {
                      "ip" => "8.8.8.8",
           "country_code2" => "US",
           "country_code3" => "USA",
            "country_name" => "United States",
          "continent_code" => "NA",
             "region_name" => "CA",
               "city_name" => "Mountain View",
             "postal_code" => "94043",
                "latitude" => 37.41919999999999,
               "longitude" => -122.0574,
                "dma_code" => 807,
               "area_code" => 650,
                "timezone" => "America/Los_Angeles",
        "real_region_name" => "California",
                "location" => [
            [0] -122.0574,
            [1] 37.41919999999999
        ]
    }
}

这是它的工作。