Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 08bcd83757
Branches Tags
elasticsearch
/
docs
/
plugins
/
ingest-geoip.asciidoc

ingest-geoip.asciidoc 9.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313 
  1. [[ingest-geoip]]
    2. 

  2. === Ingest Geoip Processor Plugin
    3. 

  3. 

  4. The GeoIP processor adds information about the geographical location of IP addresses, based on data from the Maxmind databases.
    5. 

  5. This processor adds this information by default under the `geoip` field. The `geoip` processor can resolve both IPv4 and
    6. 

  6. IPv6 addresses.
    7. 

  7. 

  8. The ingest-geoip plugin ships by default with the GeoLite2 City, GeoLite2 Country and GeoLite2 ASN geoip2 databases from Maxmind made available
    9. 

  9. under the CCA-ShareAlike 4.0 license. For more details see, http://dev.maxmind.com/geoip/geoip2/geolite2/
    10. 

  10. 

  11. The GeoIP processor can run with other geoip2 databases from Maxmind. The files must be copied into the geoip config directory,
    12. 

  12. and the `database_file` option should be used to specify the filename of the custom database. Custom database files must be stored
    13. 

  13. uncompressed. The geoip config directory is located at `$ES_HOME/config/ingest-geoip` and holds the shipped databases too.
    14. 

  14. 

  15. :plugin_name: ingest-geoip
    16. 

  16. include::install_remove.asciidoc[]
    17. 

  17. 

  18. [[using-ingest-geoip]]
    19. 

  19. ==== Using the Geoip Processor in a Pipeline
    20. 

  20. 

  21. [[ingest-geoip-options]]
    22. 

  22. .Geoip options
    23. 

  23. [options="header"]
    24. 

  24. |======
    25. 

  25. | Name                   | Required  | Default                                                                            | Description
    26. 

  26. | `field`                | yes       | -                                                                                  | The field to get the ip address from for the geographical lookup.
    27. 

  27. | `target_field`         | no        | geoip                                                                              | The field that will hold the geographical information looked up from the Maxmind database.
    28. 

  28. | `database_file`        | no        | GeoLite2-City.mmdb                                                                 | The database filename in the geoip config directory. The ingest-geoip plugin ships with the GeoLite2-City.mmdb, GeoLite2-Country.mmdb and GeoLite2-ASN.mmdb files.
    29. 

  29. | `properties`           | no        | [`continent_name`, `country_iso_code`, `region_iso_code`, `region_name`, `city_name`, `location`] *   | Controls what properties are added to the `target_field` based on the geoip lookup.
    30. 

  30. | `ignore_missing`       | no        | `false`                                                                            | If `true` and `field` does not exist, the processor quietly exits without modifying the document
    31. 

  31. |======
    32. 

  32. 

  33. *Depends on what is available in `database_field`:
    34. 

  34. 

  35. * If the GeoLite2 City database is used, then the following fields may be added under the `target_field`: `ip`,
    36. 

  36. `country_iso_code`, `country_name`, `continent_name`, `region_iso_code`, `region_name`, `city_name`, `timezone`, `latitude`, `longitude`
    37. 

  37. and `location`. The fields actually added depend on what has been found and which properties were configured in `properties`.
    38. 

  38. * If the GeoLite2 Country database is used, then the following fields may be added under the `target_field`: `ip`,
    39. 

  39. `country_iso_code`, `country_name` and `continent_name`. The fields actually added depend on what has been found and which properties
    40. 

  40. were configured in `properties`.
    41. 

  41. * If the GeoLite2 ASN database is used, then the following fields may be added under the `target_field`: `ip`,
    42. 

  42. `asn`, and `organization_name`. The fields actually added depend on what has been found and which properties were configured
    43. 

  43. in `properties`.
    44. 

  44. 

  45. Here is an example that uses the default city database and adds the geographical information to the `geoip` field based on the `ip` field:
    46. 

  46. 

  47. [source,js]
    48. 

  48. --------------------------------------------------
    49. 

  49. PUT _ingest/pipeline/geoip
    50. 

  50. {
    51. 

  51.   "description" : "Add geoip info",
    52. 

  52.   "processors" : [
    53. 

  53.     {
    54. 

  54.       "geoip" : {
    55. 

  55.         "field" : "ip"
    56. 

  56.       }
    57. 

  57.     }
    58. 

  58.   ]
    59. 

  59. }
    60. 

  60. PUT my_index/_doc/my_id?pipeline=geoip
    61. 

  61. {
    62. 

  62.   "ip": "8.8.8.8"
    63. 

  63. }
    64. 

  64. GET my_index/_doc/my_id
    65. 

  65. --------------------------------------------------
    66. 

  66. // CONSOLE
    67. 

  67. 

  68. Which returns:
    69. 

  69. 

  70. [source,js]
    71. 

  71. --------------------------------------------------
    72. 

  72. {
    73. 

  73.   "found": true,
    74. 

  74.   "_index": "my_index",
    75. 

  75.   "_type": "_doc",
    76. 

  76.   "_id": "my_id",
    77. 

  77.   "_version": 1,
    78. 

  78.   "_seq_no": 55,
    79. 

  79.   "_primary_term": 1,
    80. 

  80.   "_source": {
    81. 

  81.     "ip": "8.8.8.8",
    82. 

  82.     "geoip": {
    83. 

  83.       "continent_name": "North America",
    84. 

  84.       "country_iso_code": "US",
    85. 

  85.       "location": { "lat": 37.751, "lon": -97.822 }
    86. 

  86.     }
    87. 

  87.   }
    88. 

  88. }
    89. 

  89. --------------------------------------------------
    90. 

  90. // TESTRESPONSE[s/"_seq_no": \d+/"_seq_no" : $body._seq_no/ s/"_primary_term":1/"_primary_term" : $body._primary_term/]
    91. 

  91. 

  92. Here is an example that uses the default country database and adds the
    93. 

  93. geographical information to the `geo` field based on the `ip` field`. Note that
    94. 

  94. this database is included in the plugin download. So this:
    95. 

  95. 

  96. [source,js]
    97. 

  97. --------------------------------------------------
    98. 

  98. PUT _ingest/pipeline/geoip
    99. 

  99. {
    100. 

  100.   "description" : "Add geoip info",
    101. 

  101.   "processors" : [
    102. 

  102.     {
    103. 

  103.       "geoip" : {
    104. 

  104.         "field" : "ip",
    105. 

  105.         "target_field" : "geo",
    106. 

  106.         "database_file" : "GeoLite2-Country.mmdb"
    107. 

  107.       }
    108. 

  108.     }
    109. 

  109.   ]
    110. 

  110. }
    111. 

  111. PUT my_index/_doc/my_id?pipeline=geoip
    112. 

  112. {
    113. 

  113.   "ip": "8.8.8.8"
    114. 

  114. }
    115. 

  115. GET my_index/_doc/my_id
    116. 

  116. --------------------------------------------------
    117. 

  117. // CONSOLE
    118. 

  118. 

  119. returns this:
    120. 

  120. 

  121. [source,js]
    122. 

  122. --------------------------------------------------
    123. 

  123. {
    124. 

  124.   "found": true,
    125. 

  125.   "_index": "my_index",
    126. 

  126.   "_type": "_doc",
    127. 

  127.   "_id": "my_id",
    128. 

  128.   "_version": 1,
    129. 

  129.   "_seq_no": 65,
    130. 

  130.   "_primary_term": 1,
    131. 

  131.   "_source": {
    132. 

  132.     "ip": "8.8.8.8",
    133. 

  133.     "geo": {
    134. 

  134.       "continent_name": "North America",
    135. 

  135.       "country_iso_code": "US",
    136. 

  136.     }
    137. 

  137.   }
    138. 

  138. }
    139. 

  139. --------------------------------------------------
    140. 

  140. // TESTRESPONSE[s/"_seq_no": \d+/"_seq_no" : $body._seq_no/ s/"_primary_term" : 1/"_primary_term" : $body._primary_term/]
    141. 

  141. 

  142. 

  143. Not all IP addresses find geo information from the database, When this
    144. 

  144. occurs, no `target_field` is inserted into the document.
    145. 

  145. 

  146. Here is an example of what documents will be indexed as when information for "80.231.5.0"
    147. 

  147. cannot be found:
    148. 

  148. 

  149. [source,js]
    150. 

  150. --------------------------------------------------
    151. 

  151. PUT _ingest/pipeline/geoip
    152. 

  152. {
    153. 

  153.   "description" : "Add geoip info",
    154. 

  154.   "processors" : [
    155. 

  155.     {
    156. 

  156.       "geoip" : {
    157. 

  157.         "field" : "ip"
    158. 

  158.       }
    159. 

  159.     }
    160. 

  160.   ]
    161. 

  161. }
    162. 

  162. 

  163. PUT my_index/_doc/my_id?pipeline=geoip
    164. 

  164. {
    165. 

  165.   "ip": "80.231.5.0"
    166. 

  166. }
    167. 

  167. 

  168. GET my_index/_doc/my_id
    169. 

  169. --------------------------------------------------
    170. 

  170. // CONSOLE
    171. 

  171. 

  172. Which returns:
    173. 

  173. 

  174. [source,js]
    175. 

  175. --------------------------------------------------
    176. 

  176. {
    177. 

  177.   "_index" : "my_index",
    178. 

  178.   "_type" : "_doc",
    179. 

  179.   "_id" : "my_id",
    180. 

  180.   "_version" : 1,
    181. 

  181.   "_seq_no" : 71,
    182. 

  182.   "_primary_term": 1,
    183. 

  183.   "found" : true,
    184. 

  184.   "_source" : {
    185. 

  185.     "ip" : "80.231.5.0"
    186. 

  186.   }
    187. 

  187. }
    188. 

  188. --------------------------------------------------
    189. 

  189. // TESTRESPONSE[s/"_seq_no" : \d+/"_seq_no" : $body._seq_no/ s/"_primary_term" : 1/"_primary_term" : $body._primary_term/]
    190. 

  190. 

  191. [[ingest-geoip-mappings-note]]
    192. 

  192. ===== Recognizing Location as a Geopoint
    193. 

  193. Although this plugin enriches your document with a `location` field containing
    194. 

  194. the estimated latitude and longitude of the IP address, this field will not be
    195. 

  195. indexed as a {ref}/geo-point.html[`geo_point`] type in Elasticsearch without explicitely defining it
    196. 

  196. as such in the mapping.
    197. 

  197. 

  198. You can use the following mapping for the example index above:
    199. 

  199. 

  200. [source,js]
    201. 

  201. --------------------------------------------------
    202. 

  202. PUT my_ip_locations
    203. 

  203. {
    204. 

  204.   "mappings": {
    205. 

  205.     "_doc": {
    206. 

  206.       "properties": {
    207. 

  207.         "geoip": {
    208. 

  208.           "properties": {
    209. 

  209.             "location": { "type": "geo_point" }
    210. 

  210.           }
    211. 

  211.         }
    212. 

  212.       }
    213. 

  213.     }
    214. 

  214.   }
    215. 

  215. }
    216. 

  216. --------------------------------------------------
    217. 

  217. // CONSOLE
    218. 

  218. 

  219. ////
    220. 

  220. [source,js]
    221. 

  221. --------------------------------------------------
    222. 

  222. PUT _ingest/pipeline/geoip
    223. 

  223. {
    224. 

  224.   "description" : "Add geoip info",
    225. 

  225.   "processors" : [
    226. 

  226.     {
    227. 

  227.       "geoip" : {
    228. 

  228.         "field" : "ip"
    229. 

  229.       }
    230. 

  230.     }
    231. 

  231.   ]
    232. 

  232. }
    233. 

  233. 

  234. PUT my_ip_locations/_doc/1?refresh=true&pipeline=geoip
    235. 

  235. {
    236. 

  236.   "ip": "8.8.8.8"
    237. 

  237. }
    238. 

  238. 

  239. GET /my_ip_locations/_search
    240. 

  240. {
    241. 

  241.     "query": {
    242. 

  242.         "bool" : {
    243. 

  243.             "must" : {
    244. 

  244.                 "match_all" : {}
    245. 

  245.             },
    246. 

  246.             "filter" : {
    247. 

  247.                 "geo_distance" : {
    248. 

  248.                     "distance" : "1m",
    249. 

  249.                     "geoip.location" : {
    250. 

  250.                         "lon" : -97.822,
    251. 

  251.                         "lat" : 37.751
    252. 

  252.                     }
    253. 

  253.                 }
    254. 

  254.             }
    255. 

  255.         }
    256. 

  256.     }
    257. 

  257. }
    258. 

  258. --------------------------------------------------
    259. 

  259. // CONSOLE
    260. 

  260. // TEST[continued]
    261. 

  261. 

  262. [source,js]
    263. 

  263. --------------------------------------------------
    264. 

  264. {
    265. 

  265.   "took" : 3,
    266. 

  266.   "timed_out" : false,
    267. 

  267.   "_shards" : {
    268. 

  268.     "total" : 1,
    269. 

  269.     "successful" : 1,
    270. 

  270.     "skipped" : 0,
    271. 

  271.     "failed" : 0
    272. 

  272.   },
    273. 

  273.   "hits" : {
    274. 

  274.     "total" : {
    275. 

  275.       "value": 1,
    276. 

  276.       "relation": "eq"
    277. 

  277.     },
    278. 

  278.     "max_score" : 1.0,
    279. 

  279.     "hits" : [
    280. 

  280.       {
    281. 

  281.         "_index" : "my_ip_locations",
    282. 

  282.         "_type" : "_doc",
    283. 

  283.         "_id" : "1",
    284. 

  284.         "_score" : 1.0,
    285. 

  285.         "_source" : {
    286. 

  286.           "geoip" : {
    287. 

  287.             "continent_name" : "North America",
    288. 

  288.             "country_iso_code" : "US",
    289. 

  289.             "location" : {
    290. 

  290.               "lon" : -97.822,
    291. 

  291.               "lat" : 37.751
    292. 

  292.             }
    293. 

  293.           },
    294. 

  294.           "ip" : "8.8.8.8"
    295. 

  295.         }
    296. 

  296.       }
    297. 

  297.     ]
    298. 

  298.   }
    299. 

  299. }
    300. 

  300. --------------------------------------------------
    301. 

  301. // TESTRESPONSE[s/"took" : 3/"took" : $body.took/]
    302. 

  302. ////
    303. 

  303. 

  304. [[ingest-geoip-settings]]
    305. 

  305. ===== Node Settings
    306. 

  306. 

  307. The geoip processor supports the following setting:
    308. 

  308. 

  309. `ingest.geoip.cache_size`::
    310. 

  310. 

  311.     The maximum number of results that should be cached. Defaults to `1000`.
    312. 

  312. 

  313. Note that these settings are node settings and apply to all geoip processors, i.e. there is one cache for all defined geoip processors.
    314.