Docs
Powered by

# geoip

Enrich events with geographic information using a MaxMind GeoLite2 database available at path. IP addresses are extracted using ip(). Events are then enriched with enrich(). Events are always emitted downstream, whether enrichment succeeds or fails.

# Config

Required:

  • path: Path to MaxMind GeoLite2 database file
  • ip: Function to extract IP address from event
  • enrich: Function to apply geodata to event

# Example 

pipeline:
  geoip:
    config:
      path: /path/to/GeoLite2-City.mmdb
      ip: !!js/function >-
        function(event) {
          return event.client?.ip ?? event.source?.ip ?? event.ip
        }
      enrich: !!js/function >-
        function(event, results) {
          // https://www.elastic.co/guide/en/ecs/current/ecs-geo.html
          const geo = {}
          if (results.city) {
            geo.city_name = results.city.names.en
          }
          if (results.continent) {
            geo.continent_code = results.continent.code
          }
          if (results.country) {
            geo.country_iso_code = results.country.isoCode
            geo.country_name = results.country.names.en
          }
          if (results.postal) {
            geo.postal_code = results.postal.code
          }
          if (results.location) {
            geo.location = [results.location.longitude, results.location.latitude]
          }
          if (results.traits) {
            event.labels = {...event.labels, ...results.traits}
            delete event.labels.ipAddress
            delete event.labels.network
          }
          if (event.client?.ip) {
            event.client.geo = geo
          } else if (event.source?.ip) {
            event.source.geo = geo
          } else {
            event.geo = geo
          }
        }

© Copyright 2025. All rights reserved.