my problem there is a filed with name source
how to write the correct code to add message filed and chose the source part
rule "src_ip"
when
has_field("source")
then
let geo = lookup("src_ip", to_string($message.source));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end
also the “src_ip_geo*” new filed never appear in the map
First based on your screenshot, you try to GeoIP for LAN subnet addresses (10.X.X.X) which of course can’t contain GeoIP information, because it’s not Internet IP
Second you need to extract IP from message, do you have it? You you field source in your pipeline rule, but I don’t know if it contains correct ip.
Widget map uses GeoIP coordinates to display point in map, so you need to use field: src_ip_geo_location in your case
for the first point the same load balancer VIP accessible from internet using nat ip so internet users public ip will appear if the url requested from internet .
for the second point their is source filed but its for the load balancer ip, the clint ip appear in the message filed as a part from the message filed text so i need to extract it from the message filed data.
for the third point src_ip_geo_location is not appear in the row filed in map dashboard.
