Hi,
is it possible to have to " destination.geo.country_iso_code" field with the geoip plugin in logstash ?
I use it but similar output fields are "destination.geo.country_code2" and "destination.geo.country_code3" and these fields are not usable in the SIEM for destination country.
Thanks for help.
I may be misunderstanding your question, but it doesn't look like that is a possible value from the filter - https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html#plugins-filters-geoip-fields
Hi Mark,
you understand well 
I was wondering if there is any way to do it (change output name, rename field or other), and want to understand the difference between filter and the processor which have this "coutry_iso_code" with the same Maxmind database (see GeoIP processor | Elasticsearch Reference [7.10] | Elastic)
The database might be the same but the implementation is slightly different.
Can you look at using it instead?
Hi,
I can't do it now, but will look at it in the next few months when migrating.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.