Hi Badger,
Thanks for your help!
I've tried it and the log message complains about the same thing:
[WARN ][logstash.filters.geoip ][3_sflow] ECS expect `target` value `[source][geo][ip]` in ["client", "destination", "host", "observer", "server", "source"]
I'm not sure what format the ip fields should be in, can't really find an example.
I've tried renaming dst_ip and src_ip fields to source.ip and destination.ip - the reasoning behind is that filebeat netflow module uses this naming convention but no luck with that either.
I've seen this post already and if i disable ecs compatibility I'm guessing it will work, but I'd like to get it working with ECS, if possible 