Merge pull request #396 from electrical/geoip_fields_selector

Adding field selector to geoip filter
2025-04-24 06:37:19 -04:00 · 2013-03-09 15:25:30 -08:00 · 2013-03-09 15:25:30 -08:00 · 908e0fd47b
commit 908e0fd47b
parent 5cd155c2a0 450b4a6858
1 changed files with 33 additions and 4 deletions
--- a/lib/logstash/filters/geoip.rb
+++ b/lib/logstash/filters/geoip.rb
@ -24,7 +24,18 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base

  # The field containing IP address, hostname is also OK. If this field is an
  # array, only the first value will be used.
-  config :field, :validate => :string, :required => true
+  config :field, :validate => :string, :deprecated => true
+
+  # The field containing IP address, hostname is also OK. If this field is an
+  # array, only the first value will be used.
+  config :source, :validate => :string
+
+  # Array of fields that we want to be included in our event
+  # Default it will include all fields.
+  # Possible fields depend on the database type
+  # For the built in GeoLiteCity database:
+  # city_name, continent_code, country_code2, country_code3, country_name, dma_code, ip, latitude, longitude, postal_code, region_name, timezone
+  config :fields, :validate => :array

  public
  def register
@ -64,6 +75,15 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
    else
      raise RuntimeException.new "This GeoIP database is not currently supported"
    end
+
+    #TODO(electrical): Remove this when removing the field variable
+    if @field
+      if @source
+        logger.error("'field' and 'source' are the same setting, but 'field' is deprecated. Please use only 'source'")
+      end
+      @source = @field
+    end
+
  end # def register

  public
@ -71,7 +91,7 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
    return unless filter?(event)
    geo_data = nil
    begin
-      ip = event[@field]
+      ip = event[@source]
      ip = ip.first if ip.is_a? Array
      geo_data = @geoip.send(@geoip_type, ip)
    rescue SocketError => e
@ -84,8 +104,17 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
      geo_data_hash.delete(:request)
      event["geoip"] = {} if event["geoip"].nil?
      geo_data_hash.each do |key, value|
-        # convert key to string (normally a Symbol)
-        event["geoip"][key.to_s] = value
+        # Check if we have an array for specific fields
+        if !fields.empty?
+          # Check if the key is in our fields array
+          if fields.include?(key.to_s)
+            # convert key to string (normally a Symbol)
+            event["geoip"][key.to_s] = value
+          end
+        else
+          # convert key to string (normally a Symbol)
+          event["geoip"][key.to_s] = value
+        end
      end
      filter_matched(event)
    end