我想在docker的elk堆栈中使用geoip。根据这个文档我添加了配置
https://www.elastic.co/blog/geoip-in-the-elastic-stack
这是我的logstash.conf
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
geoip {
source => "clientip"
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
manage_template => false
index => "logstash-%{+YYYY.MM.dd}"
}
}
我知道我应该在某个地方添加这个json。但我不知道我应该在哪里这样做?
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}
你的logstash管道没问题。您尝试添加的json是由logstash自动生成的映射。
考虑到您在Elasticsearch集群中使用Kibana:
go to management -> index patern -> Create Index Pattern -> type "logstash-*" or a name that fits your need with this index -> select
timestamp and hit "create index pattern".
如果在此步骤中无法显示地理数据,则可能是数据中的IP与公共区域无关。你可以在这里试试你的IP:https://www.maxmind.com/en/geoip-demo