Hi Jan,
please post some examples of the content of the "FW_SourceIP" field of the
messages in your Graylog instance.
Cheers,
Jochen
On Monday, 29 August 2016 14:30:51 UTC+2, Jan wrote:
>
> Hi all,
>
> I've just activated the Geo-Location processor within my Graylog
> environment and noticed that it does not create _geolocation fields for any
> of my custom fields containing an IP-address.
> Other fields like "source" work fine so I think this is not a general
> issue with the plugin. I changed the order for message processing to 1.
> Pipeline Processor, 2. Message Filter Chain and 3. GeoIP Resolver
> cause I extract a lot of fields within pipeline rules.
>
> As an example I create a field called "FW_SourceIP":
>
> let matcherSrcIp = regex(
> ".*srcip=((?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])).*"
> , to_string($message.message));
> set_field("FW_SourceIP", to_ip(matcherSrcIp["0"]));
>
> I'm able to use the created field and use it without any problems but I
> never get a field "FW_SourceIP_geolocation".
> The field is stored as a string within the ES index.
>
> Has anyone used this combinition of fields, pipeline rules and the GeoIP
> plugin?
>
> Regards,
> Jan
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/05835d05-5121-4d7d-97ce-2cefb152551d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
