Lookup Table Returning Null Value

Hi, I have a lookup table translating IP addresses to geo locations, the lookup table works fine and when I enter any external IP address as a Key under “test lookup” it returns the correct mapping, see below.

image293×560 8.33 KB

I then have the following pipeline rule that is trying to return the single value ID (in this example “41.874, -71.3844”), however it is always returns {“value”:null}.

rule
    "Set geo_location field"
when
    contains(to_string($message.type), "fw_drop") && not (starts_with(to_string($message.packet_source_ip), "192.168") or starts_with(to_string($message.packet_source_ip), "10") or starts_with(to_string($message.packet_source_ip), "172"))
then
    let geo_source = lookup("geo-lookup", $message.packet_source_ip, single_value.id);
    set_field("geo_location_source", geo_source);
end
-

The error is definitely with the pipeline rule, as when I test the key it returns the correct mapping. Can someone please help? Thanks

Hey @Linedo

Mine is a little different because the field used.

Heres mine.

rule "GeoIP lookup: srcip"

when

  has_field("srcip")

then

  let geo = lookup("geoip", to_string($message.srcip));

  set_field("srcip_location", geo["coordinates"]);

  set_field("srcip_country", geo["country"].iso_code);

  set_field("srcip_city", geo["city"].names.en); 
 
end

Results:

image314×524 8.95 KB

So I have a fields already called “srcip” yours may differ.

Hi @gsmith, thank you for your response! This is exactly what I was after, and it’s now working.

For anyone else reading this thread with a similar problem, I found this very helpful page: How to Set Up Graylog GeoIP Configuration

Glad you reloved your issue, isf you can mark it as relsolve for future searches that would be great.

Hi guys,

thanks for all the good resources and sharing of your experiences!
I also followed the guides,
How to Set Up Graylog GeoIP Configuration
Implementing Geolocation with Graylog Pipelines

It seems to work somehow but my problem is that all lookups resolve to the same coordinates and country. Can someone tell me if this behavior is some kind of fallback function?

winlogbeat_winlog_event_data_DestinationIp_geo_country:"AT"
winlogbeat_winlog_event_data_DestinationIp_geo_location:"48.2048,16.3801"

There what I configures:

• System > Configuration:
  

  

  image1742×405 33.3 KB

• Lookup Tables > Data Adapters:

image1258×956 40.8 KB

The .mmdb file is up-to-date and is shared with my docker containter where graylog runs!

• Lookup Tables > Caches:

image945×743 26.5 KB

• Lookup Tables > Lockup Table:
  

  

  image863×805 26.5 KB

• Pipelines > Manage rules:

image877×782 35.5 KB

rule "GeoIP lookup: winlogbeat_winlog_event_data_DestinationIp"
when
  has_field("winlogbeat_winlog_event_data_DestinationIp")
then
let geo = lookup("geoiplookup", to_string($message.winlogbeat_winlog_event_data_DestinationIp));
set_field("winlogbeat_winlog_event_data_DestinationIp_geo_location", geo["coordinates"]);
set_field("winlogbeat_winlog_event_data_DestinationIp_geo_country", geo["country"].iso_code);
set_field("winlogbeat_winlog_event_data_DestinationIp_geo_city", geo["city"].names.en);
end

• Pipelines > Manage pipelines > Edit:
  ** Pileline connections > correct Stream is set
  ** actually seeing Throughput from time to time (not much traffic - its a lab environment)

image1696×697 40.7 KB

• Pipelines overview:

• Files are available:

Did I miss any important step?
Where / How can I do some extended troubleshooting?
(I can’t find any server logs in my docker container)

@wolfgang.reidlinger

Please create your own post, this one has been closed.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.