Merge pull request elastic#396 from electrical/geoip_fields_selector

Adding field selector to geoip filter
damomurf · Mar 9, 2013 · 908e0fd · 908e0fd
2 parents 5cd155c + 450b4a6
commit 908e0fd
Showing 1 changed file with 33 additions and 4 deletions.
diff --git a/lib/logstash/filters/geoip.rb b/lib/logstash/filters/geoip.rb
@@ -24,7 +24,18 @@ class LogStash::Filters::GeoIP < LogStash::Filters::Base
 
   # The field containing IP address, hostname is also OK. If this field is an
   # array, only the first value will be used.
-  config :field, :validate => :string, :required => true
+  config :field, :validate => :string, :deprecated => true
+
+  # The field containing IP address, hostname is also OK. If this field is an
+  # array, only the first value will be used.
+  config :source, :validate => :string
+
+  # Array of fields that we want to be included in our event
+  # Default it will include all fields.
+  # Possible fields depend on the database type
+  # For the built in GeoLiteCity database:
+  # city_name, continent_code, country_code2, country_code3, country_name, dma_code, ip, latitude, longitude, postal_code, region_name, timezone
+  config :fields, :validate => :array
 
   public
   def register
@@ -64,14 +75,23 @@ def register
     else
       raise RuntimeException.new "This GeoIP database is not currently supported"
     end
+
+    #TODO(electrical): Remove this when removing the field variable
+    if @field
+      if @source
+        logger.error("'field' and 'source' are the same setting, but 'field' is deprecated. Please use only 'source'")
+      end
+      @source = @field
+    end
+
   end # def register
 
   public
   def filter(event)
     return unless filter?(event)
     geo_data = nil
     begin
-      ip = event[@field]
+      ip = event[@source]
       ip = ip.first if ip.is_a? Array
       geo_data = @geoip.send(@geoip_type, ip)
     rescue SocketError => e
@@ -84,8 +104,17 @@ def filter(event)
       geo_data_hash.delete(:request)
       event["geoip"] = {} if event["geoip"].nil?
       geo_data_hash.each do |key, value|
-        # convert key to string (normally a Symbol)
-        event["geoip"][key.to_s] = value
+        # Check if we have an array for specific fields
+        if !fields.empty?
+          # Check if the key is in our fields array
+          if fields.include?(key.to_s)
+            # convert key to string (normally a Symbol)
+            event["geoip"][key.to_s] = value
+          end
+        else
+          # convert key to string (normally a Symbol)
+          event["geoip"][key.to_s] = value
+        end
       end
       filter_matched(event)
     end