Pipeline processor vs. GeoIP Resolver



In my message processors configuration I had to put GeoIP Resolver after the Pipeline Processor because the IP fields of messages came from input extractors. Thus the pipeline processor has to run first.

Next, the GeoIP resolver runs on this extacted field and creats a geolocation field of latitiude,longitude.

But now I have a need to separate this geolocation field into separate latitutde and longitiude fields.
The GROK pattern for the input extractor would be %{NUMBER:lat},%{NUMBER:long}

This extractor works fine when I test it in the setup for the extractor, but once I save the configuration the fields do not show up. I believe this is the case because I would theoretically need to run the Pipeline Processor again after the GeoIP Resolver.

Is there a way to get all this to work?

(Jan Doberstein) #2

what is your processing order in System > Configuration?

You can also do the lookup with a lookup table and use that in the processing pipelines (or extractors) and you are not forced todo this via the plugin only.

(Megan) #3

@ksengal here is a walkthrough of how to set up Geolocation in the pipeline instead and the benefit to doing so: https://blog.reconinfosec.com/geolocation-in-graylog/.

(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.