filter { if [type] == "apache" { grok { match => { "message" => "

1. filter {
2. if [type] == "apache" {
3. grok {
4. match => { "message" => "%{COMBINEDAPACHELOG}" }
5. tag_on_failure => []
6. }
7. kv {
8. field_split => "&?"
9. source => "request"
10. target => "kv"
11. include_keys => [ "userid", "idfa", "adid", "aid", "ip", "plid", "ho_claim_type", "ho_non_window", "sad",
12. "ho_is_assist", "loss_type", "version", "os_version", "existing_user", "conversion_referral",
13. "carrier", "agent", "device_brand", "device_model", "region", "devmod", "referrer", "nwt",
14. "bidtype", "currency", "lat", "marker", "time", "bundleid", "url", "claim", "platform",
15. "nw", "app", "urlloadedinbrowser", "nw_type", "site", "gclid" ]
16. }
17. geoip {
18. source => "clientip"
19. target => "geoip"
20. database => "/usr/share/GeoIP/GeoIPCity.dat"
21. add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
22. add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
23. }
24. mutate {
25. convert => [ "[geoip][coordinates]", "float"]
26. }
27. }
28. }