2018-12-22 20:31:07 -05:00
[[geoip-processor]]
=== GeoIP Processor
2016-01-25 15:06:39 -05:00
2018-12-22 09:49:56 -05:00
The `geoip` processor adds information about the geographical location of IP addresses, based on data from the Maxmind databases.
2016-09-28 04:03:43 -04:00
This processor adds this information by default under the `geoip` field. The `geoip` processor can resolve both IPv4 and
IPv6 addresses.
2016-01-25 15:06:39 -05:00
2018-12-22 09:49:56 -05:00
The `ingest-geoip` module ships by default with the GeoLite2 City, GeoLite2 Country and GeoLite2 ASN geoip2 databases from Maxmind made available
2017-12-19 08:24:30 -05:00
under the CCA-ShareAlike 4.0 license. For more details see, http://dev.maxmind.com/geoip/geoip2/geolite2/
2016-01-25 15:06:39 -05:00
2018-12-22 09:49:56 -05:00
The `geoip` processor can run with other GeoIP2 databases from Maxmind. The files must be copied into the `ingest-geoip` config directory,
2018-03-12 03:07:33 -04:00
and the `database_file` option should be used to specify the filename of the custom database. Custom database files must be stored
2018-12-22 09:49:56 -05:00
uncompressed. The `ingest-geoip` config directory is located at `$ES_HOME/config/ingest-geoip`.
2016-01-25 15:06:39 -05:00
2016-06-08 15:55:59 -04:00
[[using-ingest-geoip]]
2018-12-22 09:49:56 -05:00
==== Using the `geoip` Processor in a Pipeline
2016-06-08 15:55:59 -04:00
[[ingest-geoip-options]]
2018-12-22 09:49:56 -05:00
.`geoip` options
2016-01-25 15:06:39 -05:00
[options="header"]
|======
| Name | Required | Default | Description
2016-04-20 12:00:11 -04:00
| `field` | yes | - | The field to get the ip address from for the geographical lookup.
2016-01-25 15:06:39 -05:00
| `target_field` | no | geoip | The field that will hold the geographical information looked up from the Maxmind database.
2018-12-22 07:21:49 -05:00
| `database_file` | no | GeoLite2-City.mmdb | The database filename in the geoip config directory. The ingest-geoip module ships with the GeoLite2-City.mmdb, GeoLite2-Country.mmdb and GeoLite2-ASN.mmdb files.
2018-07-20 14:23:29 -04:00
| `properties` | no | [`continent_name`, `country_iso_code`, `region_iso_code`, `region_name`, `city_name`, `location`] * | Controls what properties are added to the `target_field` based on the geoip lookup.
2016-12-20 13:53:28 -05:00
| `ignore_missing` | no | `false` | If `true` and `field` does not exist, the processor quietly exits without modifying the document
2016-01-25 15:06:39 -05:00
|======
2016-02-11 20:40:32 -05:00
*Depends on what is available in `database_field`:
2016-03-04 01:49:31 -05:00
* If the GeoLite2 City database is used, then the following fields may be added under the `target_field`: `ip`,
2018-07-20 14:23:29 -04:00
`country_iso_code`, `country_name`, `continent_name`, `region_iso_code`, `region_name`, `city_name`, `timezone`, `latitude`, `longitude`
2016-04-20 12:00:11 -04:00
and `location`. The fields actually added depend on what has been found and which properties were configured in `properties`.
2016-03-04 01:49:31 -05:00
* If the GeoLite2 Country database is used, then the following fields may be added under the `target_field`: `ip`,
2017-12-22 01:51:44 -05:00
`country_iso_code`, `country_name` and `continent_name`. The fields actually added depend on what has been found and which properties
were configured in `properties`.
* If the GeoLite2 ASN database is used, then the following fields may be added under the `target_field`: `ip`,
`asn`, and `organization_name`. The fields actually added depend on what has been found and which properties were configured
in `properties`.
2016-01-25 15:06:39 -05:00
2016-03-04 01:49:31 -05:00
Here is an example that uses the default city database and adds the geographical information to the `geoip` field based on the `ip` field:
2016-01-25 15:06:39 -05:00
[source,js]
--------------------------------------------------
2016-08-10 08:55:42 -04:00
PUT _ingest/pipeline/geoip
2016-01-25 15:06:39 -05:00
{
2016-08-10 08:55:42 -04:00
"description" : "Add geoip info",
2016-01-25 15:06:39 -05:00
"processors" : [
{
"geoip" : {
2016-04-20 12:00:11 -04:00
"field" : "ip"
2016-01-25 15:06:39 -05:00
}
}
]
}
2018-10-22 14:54:04 -04:00
PUT my_index/_doc/my_id?pipeline=geoip
2016-08-10 08:55:42 -04:00
{
"ip": "8.8.8.8"
}
2018-10-22 14:54:04 -04:00
GET my_index/_doc/my_id
2016-08-10 08:55:42 -04:00
--------------------------------------------------
// CONSOLE
Which returns:
[source,js]
--------------------------------------------------
{
"found": true,
"_index": "my_index",
2018-10-22 14:54:04 -04:00
"_type": "_doc",
2016-08-10 08:55:42 -04:00
"_id": "my_id",
"_version": 1,
2018-12-17 09:22:13 -05:00
"_seq_no": 55,
"_primary_term": 1,
2016-08-10 08:55:42 -04:00
"_source": {
"ip": "8.8.8.8",
"geoip": {
"continent_name": "North America",
"country_iso_code": "US",
2017-12-19 08:24:30 -05:00
"location": { "lat": 37.751, "lon": -97.822 }
2016-08-10 08:55:42 -04:00
}
}
}
2016-01-25 15:06:39 -05:00
--------------------------------------------------
2018-12-17 09:22:13 -05:00
// TESTRESPONSE[s/"_seq_no": \d+/"_seq_no" : $body._seq_no/ s/"_primary_term":1/"_primary_term" : $body._primary_term/]
2016-01-25 15:06:39 -05:00
2016-08-10 08:55:42 -04:00
Here is an example that uses the default country database and adds the
geographical information to the `geo` field based on the `ip` field`. Note that
2018-12-22 07:21:49 -05:00
this database is included in the module. So this:
2016-01-25 15:06:39 -05:00
[source,js]
--------------------------------------------------
2016-08-10 08:55:42 -04:00
PUT _ingest/pipeline/geoip
2016-01-25 15:06:39 -05:00
{
2016-08-10 08:55:42 -04:00
"description" : "Add geoip info",
2016-01-25 15:06:39 -05:00
"processors" : [
{
"geoip" : {
2016-04-20 12:00:11 -04:00
"field" : "ip",
2016-01-25 15:06:39 -05:00
"target_field" : "geo",
2018-03-12 03:07:33 -04:00
"database_file" : "GeoLite2-Country.mmdb"
2016-01-25 15:06:39 -05:00
}
}
]
}
2018-10-22 14:54:04 -04:00
PUT my_index/_doc/my_id?pipeline=geoip
2016-08-10 08:55:42 -04:00
{
"ip": "8.8.8.8"
}
2018-10-22 14:54:04 -04:00
GET my_index/_doc/my_id
2016-08-10 08:55:42 -04:00
--------------------------------------------------
// CONSOLE
returns this:
[source,js]
--------------------------------------------------
{
"found": true,
"_index": "my_index",
2018-10-22 14:54:04 -04:00
"_type": "_doc",
2016-08-10 08:55:42 -04:00
"_id": "my_id",
"_version": 1,
2018-12-17 09:22:13 -05:00
"_seq_no": 65,
"_primary_term": 1,
2016-08-10 08:55:42 -04:00
"_source": {
"ip": "8.8.8.8",
"geo": {
"continent_name": "North America",
"country_iso_code": "US",
}
}
}
2016-01-25 15:06:39 -05:00
--------------------------------------------------
2018-12-17 09:22:13 -05:00
// TESTRESPONSE[s/"_seq_no": \d+/"_seq_no" : $body._seq_no/ s/"_primary_term" : 1/"_primary_term" : $body._primary_term/]
2016-09-13 21:12:02 -04:00
Not all IP addresses find geo information from the database, When this
occurs, no `target_field` is inserted into the document.
2017-12-19 08:24:30 -05:00
Here is an example of what documents will be indexed as when information for "80.231.5.0"
2016-09-13 21:12:02 -04:00
cannot be found:
[source,js]
--------------------------------------------------
PUT _ingest/pipeline/geoip
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
"field" : "ip"
}
}
]
}
2018-11-14 23:05:45 -05:00
2018-10-22 14:54:04 -04:00
PUT my_index/_doc/my_id?pipeline=geoip
2016-09-13 21:12:02 -04:00
{
2017-12-19 08:24:30 -05:00
"ip": "80.231.5.0"
2016-09-13 21:12:02 -04:00
}
2018-11-14 23:05:45 -05:00
2018-10-22 14:54:04 -04:00
GET my_index/_doc/my_id
2016-09-13 21:12:02 -04:00
--------------------------------------------------
// CONSOLE
Which returns:
[source,js]
--------------------------------------------------
{
2018-11-14 23:05:45 -05:00
"_index" : "my_index",
"_type" : "_doc",
"_id" : "my_id",
"_version" : 1,
2018-12-17 09:22:13 -05:00
"_seq_no" : 71,
"_primary_term": 1,
2018-11-14 23:05:45 -05:00
"found" : true,
"_source" : {
"ip" : "80.231.5.0"
2016-09-13 21:12:02 -04:00
}
}
--------------------------------------------------
2018-12-17 09:22:13 -05:00
// TESTRESPONSE[s/"_seq_no" : \d+/"_seq_no" : $body._seq_no/ s/"_primary_term" : 1/"_primary_term" : $body._primary_term/]
2016-12-19 04:06:12 -05:00
2018-11-14 23:05:45 -05:00
[[ingest-geoip-mappings-note]]
===== Recognizing Location as a Geopoint
2018-12-22 07:21:49 -05:00
Although this processor enriches your document with a `location` field containing
2018-11-14 23:05:45 -05:00
the estimated latitude and longitude of the IP address, this field will not be
2019-01-07 08:44:12 -05:00
indexed as a {ref}/geo-point.html[`geo_point`] type in Elasticsearch without explicitly defining it
2018-11-14 23:05:45 -05:00
as such in the mapping.
You can use the following mapping for the example index above:
[source,js]
--------------------------------------------------
2019-01-14 16:08:01 -05:00
PUT my_ip_locations?include_type_name=true
2018-11-14 23:05:45 -05:00
{
"mappings": {
"_doc": {
"properties": {
"geoip": {
"properties": {
"location": { "type": "geo_point" }
}
}
}
}
}
}
--------------------------------------------------
// CONSOLE
////
[source,js]
--------------------------------------------------
PUT _ingest/pipeline/geoip
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
"field" : "ip"
}
}
]
}
PUT my_ip_locations/_doc/1?refresh=true&pipeline=geoip
{
"ip": "8.8.8.8"
}
GET /my_ip_locations/_search
{
"query": {
"bool" : {
"must" : {
"match_all" : {}
},
"filter" : {
"geo_distance" : {
"distance" : "1m",
"geoip.location" : {
"lon" : -97.822,
"lat" : 37.751
}
}
}
}
}
}
--------------------------------------------------
// CONSOLE
// TEST[continued]
[source,js]
--------------------------------------------------
{
"took" : 3,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
2018-12-05 13:49:06 -05:00
"total" : {
"value": 1,
"relation": "eq"
},
2018-11-14 23:05:45 -05:00
"max_score" : 1.0,
"hits" : [
{
"_index" : "my_ip_locations",
"_type" : "_doc",
"_id" : "1",
"_score" : 1.0,
"_source" : {
"geoip" : {
"continent_name" : "North America",
"country_iso_code" : "US",
"location" : {
"lon" : -97.822,
"lat" : 37.751
}
},
"ip" : "8.8.8.8"
}
}
]
}
}
--------------------------------------------------
// TESTRESPONSE[s/"took" : 3/"took" : $body.took/]
////
2016-12-19 04:06:12 -05:00
[[ingest-geoip-settings]]
===== Node Settings
2018-12-22 09:49:56 -05:00
The `geoip` processor supports the following setting:
2016-12-19 04:06:12 -05:00
`ingest.geoip.cache_size`::
The maximum number of results that should be cached. Defaults to `1000`.
2018-12-22 09:49:56 -05:00
Note that these settings are node settings and apply to all `geoip` processors, i.e. there is one cache for all defined `geoip` processors.