Help decoding GeoLocation JSON results

drewdingray · May 21, 2025, 3:51pm

I have the following results where I am trying to get the iso_code and names[en] in a pipline rule.

because the result of subdivisions is a list or dictionaries, i have tried a few things and cannot get any results.

can anyone tell me what I’m doing wrong? thanks!

geo["subdivisions"][0].iso_code
geo["subdivisions"].0.iso_code
geo["subdivisions"].iso_code

"subdivisions": [
      {
        "confidence": null,
        "geoname_id": 2951839,
        "iso_code": "BY",
        "names": {
          "de": "Bayern",
          "ru": "Бавария",
          "pt-BR": "Baviera",
          "ja": "バイエルン",
          "en": "Bavaria",
          "fr": "Bavière",
          "zh-CN": "巴伐利亚州",
          "es": "Baviera"
        }
      }
    ]

drewdingray · May 21, 2025, 9:55pm

Well, on Github I found that I can try .[0]., ill keep you posted if it works.

drewdingray · May 22, 2025, 2:26pm

.[0]. did Work, I found the post below from version 5.2 that haven’t been updated in over a year but it looks like its not fixed.

github.com/Graylog2/graylog2-server

Pipeline rule with geo lookup and possible empty array

opened 07:36AM - 29 Apr 19 UTC

closed 08:04AM - 28 Jul 22 UTC

oarnold

processing bug triaged #M

I am trying to setup a pipeline rule to get some additional geo information, as …described in http://docs.graylog.org/en/3.0/pages/geolocation.html#. The problem I am facing is that part of the result of the lookup can be empty. In the below code for the rule setting the country code works fine, but the fields which depend on the subdivisions object can lead to the error "For rule 'rule geoip lookup': In call to function 'set_field' at 7:2 an exception was thrown: Index: 0, Size: 0". This happens because the subdivisions object is sometimes empty, for instance: ``` ... "country": { "confidence": null, "geoname_id": 1605651, "is_in_european_union": false, "iso_code": "TH", "names": { "de": "Thailand", "ru": "Тайланд", "pt-BR": "Tailândia", "ja": "タイ王国", "en": "Thailand", "fr": "Thaïlande", "zh-CN": "泰国", "es": "Tailandia" } }, ... "subdivisions": [] ``` Code for the rule: ``` rule "rule geoip subdivision lookup" when has_field("IP") then let geo = lookup("geoip-lookup", to_string($message.IP)); set_field("IP_country_code", geo["country"].iso_code); set_field("IP_region_code", geo["subdivisions"].[0].iso_code); set_field("IP_region_name", geo["subdivisions"].[0].names.en); end ``` Currently it seems not to be possible to only set the fiels IP_region_code and IP_region_name, when the array is not empty - or to use a default value, if the array is empty. (Also posted in https://community.graylog.org/t/pipeline-rule-with-geo-lookup-and-possible-empty-array/10013)

I also tried: set_field(“destination_ip_state_abbrev”, to_string(geo[“subdivisions”].[0].iso_code)); per the post and its still failing. Did anyone get that working? Thanks

drewdingray · May 22, 2025, 5:23pm

This was the fix per github, works 50% of the time. Still issues when the list is empty as 0 shows up as invalid index. Works fine when its present.

set_field("destination_ip_state", to_string(geo["subdivisions"].[0].names.en, "", "", "", "no_value"));

system · June 5, 2025, 5:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline rule with geo lookup and possible empty array Graylog Central (peer support) pipeline-rules	5	1473	May 13, 2019
Accessing "subdivisions" data from GeoLite in a Pipeline Rule Graylog Central (peer support) pipeline-rules	3	257	March 25, 2024
Geo IP Pipeline GeoIP Database for more informations Graylog Central (peer support)	2	53	December 16, 2024
Geolocation issues Graylog Central (peer support) pipeline-rules	3	722	September 15, 2021
Pipeline rule is not working for postfix log Graylog Central (peer support) pipeline-rules , debuggingpl	5	1554	July 24, 2020

Help decoding GeoLocation JSON results

Related topics