- I am using Filebeat Azure module to fetch activity logs and sign-in logs.
- Logstash is running between Filebeat and Elasticsearch and pushing data to a custom index
cloud-audit-azure
. Using a custom index to store data purposefully as we want to use index patterncloud-audit*
having indexes such ascloud-audit-aws
,cloud-audit-azure
. - I copied its ingest pipeline and using the same to parse data.
- after seeing
source.geo.location.lat
andsource.geo.location.lon
data type asnumber
I tried changing it togeo_point
from mapping but no luck - when changed to
geo_point
, cloud-audit-azure was visible in Maps visualization but it was letting me select only one ofsource.geo.location.lat
orsource.geo.location.lon
.
Here is the pipeline file if you would like to see :