Hi im trying to display data in the SIEM map, using ECS, Im getting the data from a database using logstash JDBC
this is the template for the index
PUT _template/ecs
{
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"destination.geo": {
"type": "geo_point"
},
"source.geo": {
"type": "geo_point"
}
}
},
"index_patterns": [
"ecs-*"
]
}
and this is what I have tried to do in logstash to set the fields
add_field => { "[source][geo][location][lat]" => "%{src_lat}"}}
add_field => { "[source][geo][location][lon]" => "%{src_long}"}}
add_field => { "[destination][geo][location][lat]" => "%{dest_lat}"}}
add_field => { "[destination][geo][location][lon]" => "%{dest_long}"}}
and logstash gives me this error: "field must be either [lat], [lon] or [geohash]"
I also tried to put this as a string in the pipeline:
add_field => { "[destination][geo][location]" => "%{dest_lat}, %{dest_long}"}}}
and as an array:
add_field => { "[destination][geo][location]" => ["%{dest_lat}", "%{dest_long}"]}}
but all of the above gives me te error "field must be either [lat], [lon] or [geohash]"
how can i solve this?