geoip设置

[elk@node01 conf]$ cat elk.conf 
input {
   stdin{}
}

filter {  
    grok {  
        match => ["message", "%{HTTPDATE:logdate}s+%{IPORHOST:clientip}"]  
    } 
    date {
        match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
    }

 mutate {
            rename => {"logdate" => "curdate"}
}
   geoip {
                        source => "clientip"
                        target => "geoip"
                        database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
                        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                }
}


output {  
        stdout {  
            codec => rubydebug  
        }  
      } 

[elk@node01 conf]$ logstash -f elk.conf 
Settings: Default pipeline workers: 4
Pipeline main started
12/Sep/2016:21:32:33 +0800 202.101.172.35
{
       "message" => "12/Sep/2016:21:32:33 +0800 202.101.172.35",
      "@version" => "1",
    "@timestamp" => "2016-09-12T13:32:33.000Z",
          "host" => "node01",
      "clientip" => "202.101.172.35",
       "curdate" => "12/Sep/2016:21:32:33 +0800",
         "geoip" => {
                      "ip" => "202.101.172.35",
           "country_code2" => "CN",
           "country_code3" => "CHN",
            "country_name" => "China",
          "continent_code" => "AS",
             "region_name" => "02",
               "city_name" => "Hangzhou",
                "latitude" => 30.293599999999998,
               "longitude" => 120.16140000000001,
                "timezone" => "Asia/Shanghai",
        "real_region_name" => "Zhejiang",
                "location" => [
            [0] 120.16140000000001,
            [1] 30.293599999999998
        ],
             "coordinates" => [
            [0] 120.16140000000001,
            [1] 30.293599999999998
        ]
    }
}


[elk@node01 conf]$ cat elk.conf 
input {
   stdin{}
}

filter {  
    grok {  
        match => ["message", "%{HTTPDATE:logdate}s+%{IPORHOST:clientip}"]  
    } 
    date {
        match => ["logdate", "dd/MMM/yyyy:HH:mm:ss Z"]
    }

 mutate {
            rename => {"logdate" => "curdate"}
}
   geoip {
                        source => "clientip"
                        target => "geoip"
                        database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat"
                        add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                        add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
                        add_field =>["xxipyy","%{[geoip][location][0]}"]
                }
}


output {  
        stdout {  
            codec => rubydebug  
        }  
      } 
[elk@node01 conf]$ logstash -f elk.conf 
Settings: Default pipeline workers: 4
Pipeline main started
12/Sep/2016:21:32:33 +0800 202.101.172.35
{
       "message" => "12/Sep/2016:21:32:33 +0800 202.101.172.35",
      "@version" => "1",
    "@timestamp" => "2016-09-12T13:32:33.000Z",
          "host" => "node01",
      "clientip" => "202.101.172.35",
       "curdate" => "12/Sep/2016:21:32:33 +0800",
         "geoip" => {
                      "ip" => "202.101.172.35",
           "country_code2" => "CN",
           "country_code3" => "CHN",
            "country_name" => "China",
          "continent_code" => "AS",
             "region_name" => "02",
               "city_name" => "Hangzhou",
                "latitude" => 30.293599999999998,
               "longitude" => 120.16140000000001,
                "timezone" => "Asia/Shanghai",
        "real_region_name" => "Zhejiang",
                "location" => [
            [0] 120.16140000000001,
            [1] 30.293599999999998
        ],
             "coordinates" => [
            [0] 120.16140000000001,
            [1] 30.293599999999998
        ]
    },
        "xxipyy" => 120.16140000000001
}