Pipeline extract IPV4 address from message log

Dear All,
I have configure graylog to receive my apache logs through syslog server. I’m getting all the logs now. However when i tried to show them on world map pipe line is not working.

I have added grok pattern to my messages. there after it extracts IPV4 address from the messages.
my message is as follows.

My pipeline rule is as follows.

rule “GeoIP lookup: ip”
let geo = lookup(“geoip”,to_string($message.IP));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);

please let me know what could be the issue

Hello && welcome

I took a quick look at your pipeline configuration and compared it to the documentation.

Your pipeline seems to be different.

And here is mine.

rule "GeoIP lookup: src_ip"
let geo = lookup("geoip", to_string($message.src_ip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);

Did you use these instruction for your setup?

1 Like


in your screenshot above that field is called IPV4 not IP. You should also check for the existence of the IPV4 field instead of the message field.

1 Like

Thanks a lot for all the replies. I had to add message filter chain to extract IPV4 address from the log message. Once I put debug line and check the log realized that pipeline rule is not getting the IPV4 address. Then I change the order in configuration page(Message processor configuration). There after Geo Location started working and now it is showing on map.

Thanks a lot for all your valuable replies.

1 Like

Good point… Changed it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.