Filebeat Azure module not compatible with Maps visualisation

• I am using Filebeat Azure module to fetch activity logs and sign-in logs.
• Logstash is running between Filebeat and Elasticsearch and pushing data to a custom index cloud-audit-azure. Using a custom index to store data purposefully as we want to use index pattern cloud-audit* having indexes such as cloud-audit-aws, cloud-audit-azure.
• I copied its ingest pipeline and using the same to parse data.
• after seeing source.geo.location.lat and source.geo.location.lon data type asnumber I tried changing it to geo_point from mapping but no luck
• when changed to geo_point, cloud-audit-azure was visible in Maps visualization but it was letting me select only one of source.geo.location.lat or source.geo.location.lon.

Here is the pipeline file if you would like to see :

Can anyone help ?

source.geo.location should be geo_point, not the lat or long. What does you index mapping look like? How did you create it?

hey @legoguy1000 thanks for your reply. I did not create the mapping, I tried changing type from ingest pipeline.

Index mapping is in the following gist :

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.