efk/pipelines/nginx-access-with-geoip.json

curl -H "Content-Type: application/json" -X PUT http://127.0.0.1:9200/_ingest/pipeline/nginx-access -d '
{
    "description" : "nginx-access",
    "processors" : [
      {
        "grok" : {
          "field" : "message",
          "patterns" : [
            "^%{DATA:nginx.access.remote_ip} - \\[%{HTTPDATE:nginx.access.time}\\] \"%{WORD:nginx.access.method} %{DATA:nginx.access.url}\" \"%{DATA:nginx.access.args}\" \"%{DATA:nginx.access.request_body}\" %{NUMBER:nginx.access.response_code} %{NUMBER:nginx.access.body_sent.bytes} \"%{DATA:nginx.access.referrer}\" \"%{DATA:nginx.access.agent}\" \"%{DATA:nginx.access.x_forward_for}\""
          ],
          "ignore_missing" : true,
          "ignore_failure" : true
        }
      },
      {
        "geoip" : {
          "field" : "nginx.access.remote_ip",
          "target_field" : "nginx.access.geoip",
          "ignore_missing" : true,
          "ignore_failure" : true
        }
      },
      {
        "rename" : {
          "field" : "@timestamp",
          "target_field" : "read_timestamp"
        }
      },
      {
        "date" : {
          "formats" : [
            "dd/MMM/YYYY:H:m:s Z"
          ],
          "timezone" : "Asia/Shanghai",
          "field" : "nginx.access.time",
          "target_field" : "@timestamp",
          "ignore_failure" : true
        }
      },
      {
        "grok" : {
          "field" : "nginx.access.agent",
          "patterns" : [
            "%{ANDROID:nginx.access.os}",
            "%{LINUX:nginx.access.os}",
            "%{IOS:nginx.access.os}",
            "%{MACOSX:nginx.access.os}",
            "%{WINDOWS:nginx.access.os}",
            "%{DARWIN:nginx.access.os}",
            "%{SOGOU:nginx.access.os}",
            "%{BINGBOT:nginx.access.os}",
            "%{OFFICE:nginx.access.os}"
          ],
          "pattern_definitions" : {
            "ANDROID" : "Android *[0-9]*",
            "LINUX" : "Linux (x86_64|i386|i686)",
            "IOS" : "OS [0-9]+",
            "MACOSX" : "Mac OS X [0-9]+",
            "WINDOWS" : "Windows NT [0-9.]+",
            "DARWIN" : "Darwin",
            "SOGOU" : "Sogou web spider",
            "BINGBOT" : "bingbot",
            "OFFICE" : "Microsoft Office [^ ]*"
          },
          "ignore_missing" : true,
          "ignore_failure" : true
        }
      },
      {
        "remove" : {
          "field" : "nginx.access.time",
          "ignore_failure" : true
        }
      },
      {
        "remove" : {
          "field" : "message"
        }
      }
    ]
}'