| tags:devops geoip kibana linux logstash categories:Tech

Configuring Logstash GeoIP for Kibana

Logstash has a sweet geoip filter which reads an IP address and outputs latitude and longitude in separate fields, as floats. Kibana’s ‘bettermap’ panel needs an array of floats in order to plot events. Unfortunately Logstash 1.1.13 doesn’t support nested arrays in the configuration files, so it’s not possible to create an array with ‘add_field’. Instead we must use ‘merge’. I decided to use ‘add_field’ to copy ‘geoip.latitude’ and ‘geoip.longitude’ into new fields (thereby converting them to strings), then merge them into an array, convert the array back to float, and delete any extra fields.

filter {
 geoip {
  type => "stingray"
  add_tag => [ "geoip" ]
  source => "clientip"
 }
 mutate {
  tags => [ "geoip" ]
  # 'coords' will be kept, 'tmplat' is temporary.
  # Both of these new fields are strings.
  add_field => [ "coords", "%{geoip.longitude}",
                 "tmplat", "%{geoip.latitude}" ]
 }
 mutate {
  tags => [ "geoip" ]
  # Merge 'tmplat' into 'coords'
  merge => [ "coords", "tmplat" ]
 }
 mutate {
  tags => [ "geoip" ]
  # Convert our new array of strings back to float
  convert => [ "coords", "float" ]
  # Delete our temporary latitude field
  remove => [ "tmplat" ]
 }
}