How to show a count in world map using IP address in Kibana, Logstash and ElasticSearch?

Question

I want to display the number of users accessing the app in a World Map using ElasicSearch, Kibana and Logstash. I am new this stuff so having a difficult time.

Here is my sample log:

2014-07-16 21:41:04,254 [main] [] [INFO ] [o.a.c.s.f.ReflectionServiceFactoryBean] - Creating Service {http://com/test/matrix/expense}ExpenseService from class com.test.matrix.expense.ExpenseService

And here is my config file:

input { 
    file{
        #log.dir is provided from the application
        path => "D:/installDir/log/**/*.log"
        start_position=>"beginning"
    }
} 

filter {
    multiline {
       pattern => "^%{TIMESTAMP_ISO8601} "
       negate => true
       what => previous
    }       
    grok  {
        match => ["message", "%{TIMESTAMP_ISO8601:timestamp} \[%{DATA:module}-%{DATA:instance}-%{GREEDYDATA:thread}\] \[%{DATA:user}\] \[%{DATA:severity}\] \[%{JAVACLASS:javaClassName}\] - %{GREEDYDATA:shortmessage}"]
    }
    date {
        match => ["timestamp", "ISO8601"]
    }
}

output { 
    elasticsearch_http {
    host => "SAKHAN6440.corp.out.com"
    port => 9201
    }
}

Answer 1

first it seems that you have no user identifier in your sample logs ! In order to display the number of users accessing the app on a wordl map you need to have the client IP.

Once you got it, simply add this to your logstash conf :

geoip {
            source => "client_ip"
            target => "geoip"
            fields => ["country_code2"]
            database => "your/path/to/db/GeoIP.dat"
        }

Where the client_ip is the field containing the IP and GeoIP.dat is the free db downloaded from here. This will add a geoip.country_code2 that you will be able to add in your Kibana map.

Then you should be able to see the trafic on your app regarding different countries of the world !

Bye