使用elasticsearch 自带pipeline 功能来解析geoip

原理

配置geoip pipeline 

关联到具体的index pattern 

日志写入式执行geoip 形成新的日志段

步骤

1 配置pipeline

#!/bin/bash
curl -X PUT "localhost:9200/_ingest/pipeline/geoip?pretty" -H 'Content-Type: application/json' -d'
{
  "description" : "Add geoip info",
  "processors" : [
    {
      "geoip" : {
        "field" : "http_x_forwarded_for"
      }
    }
  ]
}
'

替换  http_x_forwarded_for 为任意适合你的变量

2 配置nginx pattern

{
  "index": {
    "lifecycle": {
      "name": "nginxdelete"
    },
    "number_of_replicas": "0",
    "default_pipeline": "geoip"
  }
}

3 验证

{
    "_index": "nginx-2021.08.30",
    "_type": "_doc",
    "_id": "TdzYlnsBf-nChSXeMWI6",
    "_version": 1,
    "_score": null,
    "_source": {
        "scheme": "https",
        "remote_addr": "171.224.237.174",
        "geoip": {
            "continent_name": "Asia",
            "country_iso_code": "VN",
            "location": {
                "lon": 106,
                "lat": 16
            }
        }
        "http_x_forwarded_for": "171.224.237.174"
    }
}