Pipeline extract IPV4 address from message log

Dear All,
I have configure graylog to receive my apache logs through syslog server. I’m getting all the logs now. However when i tried to show them on world map pipe line is not working.

I have added grok pattern to my messages. there after it extracts IPV4 address from the messages.
my message is as follows.

My pipeline rule is as follows.

rule “GeoIP lookup: ip”
when
has_field(“message”)
then
let geo = lookup(“geoip”,to_string($message.IP));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end

please let me know what could be the issue

Hello && welcome

I took a quick look at your pipeline configuration and compared it to the documentation.

Your pipeline seems to be different.

And here is mine.

rule "GeoIP lookup: src_ip"
when
  has_field("src_ip")
then
let geo = lookup("geoip", to_string($message.src_ip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end

Did you use these instruction for your setup?

Hi,

in your screenshot above that field is called IPV4 not IP. You should also check for the existence of the IPV4 field instead of the message field.

Thanks a lot for all the replies. I had to add message filter chain to extract IPV4 address from the log message. Once I put debug line and check the log realized that pipeline rule is not getting the IPV4 address. Then I change the order in configuration page(Message processor configuration). There after Geo Location started working and now it is showing on map.

Thanks a lot for all your valuable replies.

Good point… Changed it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.