Pipeline processor vs. GeoIP Resolver

ksengal · October 9, 2018, 3:53pm

Hi,

In my message processors configuration I had to put GeoIP Resolver after the Pipeline Processor because the IP fields of messages came from input extractors. Thus the pipeline processor has to run first.

Next, the GeoIP resolver runs on this extacted field and creats a geolocation field of latitiude,longitude.

But now I have a need to separate this geolocation field into separate latitutde and longitiude fields.
The GROK pattern for the input extractor would be %{NUMBER:lat},%{NUMBER:long}

This extractor works fine when I test it in the setup for the extractor, but once I save the configuration the fields do not show up. I believe this is the case because I would theoretically need to run the Pipeline Processor again after the GeoIP Resolver.

Is there a way to get all this to work?
Thanks

jan · October 10, 2018, 5:56am

what is your processing order in System > Configuration?

You can also do the lookup with a lookup table and use that in the processing pipelines (or extractors) and you are not forced todo this via the plugin only.

megan201296 · October 10, 2018, 6:10pm

@ksengal here is a walkthrough of how to set up Geolocation in the pipeline instead and the benefit to doing so: https://blog.reconinfosec.com/geolocation-in-graylog/.

system · October 24, 2018, 6:10pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Geolocation for logged in users Graylog Central (peer support) pipeline-rules	9	1048	March 2, 2018
Geo-ip mapping ANY ipv4 field Graylog Central (peer support) pipeline-rules	4	485	August 20, 2020
Geolocation Processor empty geo fields Graylog Add-ons	12	4797	September 29, 2017
GeoIP doesn't seem to be working Graylog Central (peer support)	5	1610	August 9, 2022
Pipelines and grok clarification Graylog Central (peer support)	8	1577	April 16, 2019

Pipeline processor vs. GeoIP Resolver

Related topics