2016-01-25 15:06:39 -05:00
[[ingest-geoip]]
2016-02-11 20:40:32 -05:00
=== Ingest Geoip Processor Plugin
2016-01-25 15:06:39 -05:00
The GeoIP processor adds information about the geographical location of IP addresses, based on data from the Maxmind databases.
2016-09-28 04:03:43 -04:00
This processor adds this information by default under the `geoip` field. The `geoip` processor can resolve both IPv4 and
IPv6 addresses.
2016-01-25 15:06:39 -05:00
2017-12-22 01:51:44 -05:00
The ingest-geoip plugin ships by default with the GeoLite2 City, GeoLite2 Country and GeoLite2 ASN geoip2 databases from Maxmind made available
2017-12-19 08:24:30 -05:00
under the CCA-ShareAlike 4.0 license. For more details see, http://dev.maxmind.com/geoip/geoip2/geolite2/
2016-01-25 15:06:39 -05:00
2016-03-04 01:49:31 -05:00
The GeoIP processor can run with other geoip2 databases from Maxmind. The files must be copied into the geoip config directory,
2018-03-12 03:07:33 -04:00
and the `database_file` option should be used to specify the filename of the custom database. Custom database files must be stored
uncompressed. The geoip config directory is located at `$ES_HOME/config/ingest-geoip` and holds the shipped databases too.
2016-01-25 15:06:39 -05:00
2017-04-20 09:01:37 -04:00
:plugin_name: ingest-geoip
include::install_remove.asciidoc[]
2016-06-08 15:55:59 -04:00
[[using-ingest-geoip]]
==== Using the Geoip Processor in a Pipeline
[[ingest-geoip-options]]
2016-01-25 15:06:39 -05:00
.Geoip options
[options="header"]
|======
| Name | Required | Default | Description
2016-04-20 12:00:11 -04:00
| `field` | yes | - | The field to get the ip address from for the geographical lookup.
2016-01-25 15:06:39 -05:00
| `target_field` | no | geoip | The field that will hold the geographical information looked up from the Maxmind database.
2018-03-12 03:07:33 -04:00
| `database_file` | no | GeoLite2-City.mmdb | The database filename in the geoip config directory. The ingest-geoip plugin ships with the GeoLite2-City.mmdb, GeoLite2-Country.mmdb and GeoLite2-ASN.mmdb files.
2018-07-20 14:23:29 -04:00
| `properties` | no | [`continent_name`, `country_iso_code`, `region_iso_code`, `region_name`, `city_name`, `location`] * | Controls what properties are added to the `target_field` based on the geoip lookup.
2016-12-20 13:53:28 -05:00
| `ignore_missing` | no | `false` | If `true` and `field` does not exist, the processor quietly exits without modifying the document
2016-01-25 15:06:39 -05:00
|======
2016-02-11 20:40:32 -05:00
*Depends on what is available in `database_field`:
2016-03-04 01:49:31 -05:00
* If the GeoLite2 City database is used, then the following fields may be added under the `target_field`: `ip`,
2018-07-20 14:23:29 -04:00
`country_iso_code`, `country_name`, `continent_name`, `region_iso_code`, `region_name`, `city_name`, `timezone`, `latitude`, `longitude`
2016-04-20 12:00:11 -04:00
and `location`. The fields actually added depend on what has been found and which properties were configured in `properties`.
2016-03-04 01:49:31 -05:00
* If the GeoLite2 Country database is used, then the following fields may be added under the `target_field`: `ip`,
2017-12-22 01:51:44 -05:00
`country_iso_code`, `country_name` and `continent_name`. The fields actually added depend on what has been found and which properties
were configured in `properties`.
* If the GeoLite2 ASN database is used, then the following fields may be added under the `target_field`: `ip`,
`asn`, and `organization_name`. The fields actually added depend on what has been found and which properties were configured
in `properties`.
2016-01-25 15:06:39 -05:00
2016-03-04 01:49:31 -05:00
Here is an example that uses the default city database and adds the geographical information to the `geoip` field based on the `ip` field:
2016-01-25 15:06:39 -05:00
[source,js]
--------------------------------------------------
2016-08-10 08:55:42 -04:00
PUT _ingest/pipeline/geoip
2016-01-25 15:06:39 -05:00
{
2016-08-10 08:55:42 -04:00
"description" : "Add geoip info",
2016-01-25 15:06:39 -05:00
"processors" : [
{
"geoip" : {
2016-04-20 12:00:11 -04:00
"field" : "ip"
2016-01-25 15:06:39 -05:00
}
}
]
}
2016-08-10 08:55:42 -04:00
PUT my_index/my_type/my_id?pipeline=geoip
{
"ip": "8.8.8.8"
}
GET my_index/my_type/my_id
--------------------------------------------------
// CONSOLE
Which returns:
[source,js]
--------------------------------------------------
{
"found": true,
"_index": "my_index",
"_type": "my_type",
"_id": "my_id",
"_version": 1,
"_source": {
"ip": "8.8.8.8",
"geoip": {
"continent_name": "North America",
"country_iso_code": "US",
2017-12-19 08:24:30 -05:00
"location": { "lat": 37.751, "lon": -97.822 }
2016-08-10 08:55:42 -04:00
}
}
}
2016-01-25 15:06:39 -05:00
--------------------------------------------------
2016-08-10 08:55:42 -04:00
// TESTRESPONSE
2016-01-25 15:06:39 -05:00
2016-08-10 08:55:42 -04:00
Here is an example that uses the default country database and adds the
geographical information to the `geo` field based on the `ip` field`. Note that
this database is included in the plugin download. So this:
2016-01-25 15:06:39 -05:00
[source,js]
--------------------------------------------------
2016-08-10 08:55:42 -04:00
PUT _ingest/pipeline/geoip
2016-01-25 15:06:39 -05:00
{
2016-08-10 08:55:42 -04:00
"description" : "Add geoip info",
2016-01-25 15:06:39 -05:00
"processors" : [
{
"geoip" : {
2016-04-20 12:00:11 -04:00
"field" : "ip",
2016-01-25 15:06:39 -05:00
"target_field" : "geo",
2018-03-12 03:07:33 -04:00
"database_file" : "GeoLite2-Country.mmdb"
2016-01-25 15:06:39 -05:00
}
}
]
}
2016-08-10 08:55:42 -04:00
PUT my_index/my_type/my_id?pipeline=geoip
{
"ip": "8.8.8.8"
}
GET my_index/my_type/my_id
--------------------------------------------------
// CONSOLE
returns this:
[source,js]
--------------------------------------------------
{
"found": true,
"_index": "my_index",
"_type": "my_type",
"_id": "my_id",
"_version": 1,
"_source": {
"ip": "8.8.8.8",
"geo": {
"continent_name": "North America",
"country_iso_code": "US",
}
}
}
2016-01-25 15:06:39 -05:00
--------------------------------------------------
2016-08-10 08:55:42 -04:00
// TESTRESPONSE
2016-09-13 21:12:02 -04:00
Not all IP addresses find geo information from the database, When this
occurs, no `target_field` is inserted into the document.
2017-12-19 08:24:30 -05:00
Here is an example of what documents will be indexed as when information for "80.231.5.0"
2016-09-13 21:12:02 -04:00
cannot be found:
[source,js]
--------------------------------------------------
PUT _ingest/pipeline/geoip
{
"description" : "Add geoip info",
"processors" : [
{
"geoip" : {
"field" : "ip"
}
}
]
}
PUT my_index/my_type/my_id?pipeline=geoip
{
2017-12-19 08:24:30 -05:00
"ip": "80.231.5.0"
2016-09-13 21:12:02 -04:00
}
GET my_index/my_type/my_id
--------------------------------------------------
// CONSOLE
Which returns:
[source,js]
--------------------------------------------------
{
"found": true,
"_index": "my_index",
"_type": "my_type",
"_id": "my_id",
"_version": 1,
"_source": {
2017-12-19 08:24:30 -05:00
"ip": "80.231.5.0"
2016-09-13 21:12:02 -04:00
}
}
--------------------------------------------------
// TESTRESPONSE
2016-12-19 04:06:12 -05:00
[[ingest-geoip-settings]]
===== Node Settings
The geoip processor supports the following setting:
`ingest.geoip.cache_size`::
The maximum number of results that should be cached. Defaults to `1000`.
2017-10-25 10:15:10 -04:00
Note that these settings are node settings and apply to all geoip processors, i.e. there is one cache for all defined geoip processors.