filter { grok { match =>[ "message","%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request}?.* HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(? <http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)", "message" , "%{IPORHOST:clientip} [%{HTTPDATE:time}] "%{WORD:verb} %{URIPATHPARAM:request} HTTP/%{NUMBER:httpversion}" - %{NUMBER:http_status_code} %{NUMBER:bytes} "(? <http_referer>S+)" "(?<http_user_agent>(S+s+)*S+)" (%{BASE16FLOAT:request_time}) (%{IPORHOST:http_x_forwarded_for}|-)" ] } geoip { source => "http_x_forwarded_for" target => "geoip" database => "/usr/local/logstash-2.3.4/etc/GeoLiteCity.dat" add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ] add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ] } mutate { convert => [ "[geoip][coordinates]", "float"] } } /******************* zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat geoip.conf input {stdin {} } filter { geoip { source =>"message" } } output { stdout { codec => rubydebug{} } } zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f geoip.conf Settings: Default pipeline workers: 1 Pipeline main started 202.101.172.35 { "message" => "202.101.172.35", "@version" => "1", "@timestamp" => "2016-09-11T02:54:11.116Z", "host" => "0.0.0.0", "geoip" => { "ip" => "202.101.172.35", "country_code2" => "CN", "country_code3" => "CHN", "country_name" => "China", "continent_code" => "AS", "latitude" => 35.0, "longitude" => 105.0, "location" => [ [0] 105.0, [1] 35.0 ] } } /*******************添加字段 zjtest7-frontend:/usr/local/logstash-2.3.4/config# cat geoip.conf input {stdin {} } filter { geoip { source =>"message" add_field => [ "[geoip][scantest]", "%{[geoip][location][0]}" ] } } output { stdout { codec => rubydebug{} } } zjtest7-frontend:/usr/local/logstash-2.3.4/config# ../bin/logstash -f geoip.conf Settings: Default pipeline workers: 1 Pipeline main started 202.101.172.35 { "message" => "202.101.172.35", "@version" => "1", "@timestamp" => "2016-09-11T02:57:07.832Z", "host" => "0.0.0.0", "geoip" => { "ip" => "202.101.172.35", "country_code2" => "CN", "country_code3" => "CHN", "country_name" => "China", "continent_code" => "AS", "latitude" => 35.0, "longitude" => 105.0, "location" => [ [0] 105.0, [1] 35.0 ], "scantest" => 105.0 } }