GeoIP data not creating "location" field and duplicating data

joshn · April 29, 2022, 2:20pm

I'm ingesting logs from my firewall, and as part of that I thought it would be nice to look at geoip data.

	     geoip {
            add_tag => [ "GeoIP" ]
            source => "src_ip"
        }
        geoip {
            add_tag => [ "GeoIP" ]
            source => "dst_ip"
        }

This is "great"...or so I thought as it created me a bunch of geoip data:

Screenshot 2022-04-29 at 15.16.16

However, I'm now a little lost on 2 items here:

1: To use this geoip data in a map, I believe I NEED a field called "geoip.location" which is lon+lat... but I don't see how I can map this myself?
I'm receiving the error "index pattern does not contain any geospatial fields".

2: I have duplicated fields:
geoip.latitude
geoip.location.lat
geoip.location.lon
geoip.longitude

The 2nd item is less important, but the 1st is the blocker in me getting maps working correctly.

Any help please!

Rios · April 29, 2022, 10:11pm

You have to create an index template with mappings where will be geoip is defined as dynamic

"geoip"  : {
  "dynamic": true,
  "properties" : {
    "ip": { "type": "ip" },
    "location" : { "type" : "geo_point" },
    "latitude" : { "type" : "half_float" },
    "longitude" : { "type" : "half_float" }
  }
}

In Kibana, go to Index Management->Indices(click on your index)->Mappings ->copy your your mappings, everything inside {} ->Go to Index Templates->Create Template->Index pattern that will match index name (ie. fw-log*)-Step 4 Mapping->Load JSON->Paste your default dynamic pattern, remove "_doc": { and } at the bottom and replace your generated geoip with marked above-> Load and overwrite, Mapped fields should have geoip as object and location as geo_point.

That is because the geo plugin creates fields. You can use ECS.

Latter you can also static geoip structure with exact fields.

joshn · May 1, 2022, 12:58pm

Hey Rios,

Thanks for the response, but I'm a little lost on following what you said.

Paste your default dynamic pattern, remove "_doc": { and } at the bottom

_doc is at the top of the template, and everything inside the {} is the entire doc?

{
  "mappings": {
    "_doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256

This is how my template starts?

joshn · May 1, 2022, 1:10pm

Here is my current index template if that helps...

{
  "mappings": {
    "_doc": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "@version": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "BASE10NUM": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "action": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "client_ip_leased": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "dhcp_client_mac": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "dhcp_gateway": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "dhcp_server_mac": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "dhcp_subnet_mask": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "dst_ip": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "dst_port": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "facility": {
          "type": "long"
        },
        "facility_label": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "geoip": {
          "properties": {
            "city_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "continent_code": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "country_code2": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "country_code3": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "country_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "dma_code": {
              "type": "long"
            },
            "ip": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "latitude": {
              "type": "float"
            },
            "location": {
              "properties": {
                "lat": {
                  "type": "float"
                },
                "lon": {
                  "type": "float"
                }
              }
            },
            "longitude": {
              "type": "float"
            },
            "postal_code": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "region_code": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "region_name": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            },
            "timezone": {
              "type": "text",
              "fields": {
                "keyword": {
                  "type": "keyword",
                  "ignore_above": 256
                }
              }
            }
          }
        },
        "host": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "host_title": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "icmp_type": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "message": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "message_raw": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "mx_external_src_ip": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "mx_external_src_port": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "priority": {
          "type": "long"
        },
        "protocol": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "request": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "severity": {
          "type": "long"
        },
        "severity_label": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "src_ip": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "src_mac": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "src_port": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "syslog_pri": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "tags": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "timestamp_unix": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "type": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }
      }
    }
  }
}

joshn · May 1, 2022, 7:54pm

well I figured out what you meant - thanks for that!

But now I have a new error:

Unable to create template
composable template [merakisyslog] template after composition is invalid

A google search doesn't turn up much on this...

joshn · May 1, 2022, 8:01pm

This is the full error I'm getting:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "composable template [simulate_template_lizn5gfhqocntit6-0eefg] template after composition is invalid",
  "attributes": {
    "error": {
      "root_cause": [
        {
          "type": "illegal_argument_exception",
          "reason": "composable template [simulate_template_lizn5gfhqocntit6-0eefg] template after composition is invalid"
        }
      ],
      "type": "illegal_argument_exception",
      "reason": "composable template [simulate_template_lizn5gfhqocntit6-0eefg] template after composition is invalid",
      "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "invalid composite mappings for [simulate_template_lizn5gfhqocntit6-0eefg]",
        "caused_by": {
          "type": "mapper_parsing_exception",
          "reason": "Failed to parse mapping [_doc]: Root mapping definition has unsupported parameters:  [mappings : {dynamic_templates=[], properties={icmp_type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request={type=text, fields={keyword={ignore_above=256, type=keyword}}}, agent={type=text, fields={keyword={ignore_above=256, type=keyword}}}, client_ip_leased={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message_raw={type=text, fields={keyword={ignore_above=256, type=keyword}}}, type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dst_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_proto={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, protocol={type=text, fields={keyword={ignore_above=256, type=keyword}}}, timestamp_unix={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_meth={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @version={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_gateway={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_subnet_mask={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, action={type=text, fields={keyword={ignore_above=256, type=keyword}}}, syslog_pri={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_server_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, geoip={dynamic=true, type=object, properties={ip={type=ip}, latitude={type=half_float}, location={type=geo_point}, longitude={type=half_float}}}, dhcp_client_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host_title={type=text, fields={keyword={ignore_above=256, type=keyword}}}, tags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @timestamp={type=date}, dst_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_path={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}]",
          "caused_by": {
            "type": "mapper_parsing_exception",
            "reason": "Root mapping definition has unsupported parameters:  [mappings : {dynamic_templates=[], properties={icmp_type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request={type=text, fields={keyword={ignore_above=256, type=keyword}}}, agent={type=text, fields={keyword={ignore_above=256, type=keyword}}}, client_ip_leased={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message_raw={type=text, fields={keyword={ignore_above=256, type=keyword}}}, type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dst_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_proto={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, protocol={type=text, fields={keyword={ignore_above=256, type=keyword}}}, timestamp_unix={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_meth={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @version={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_gateway={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_subnet_mask={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, action={type=text, fields={keyword={ignore_above=256, type=keyword}}}, syslog_pri={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_server_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, geoip={dynamic=true, type=object, properties={ip={type=ip}, latitude={type=half_float}, location={type=geo_point}, longitude={type=half_float}}}, dhcp_client_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host_title={type=text, fields={keyword={ignore_above=256, type=keyword}}}, tags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @timestamp={type=date}, dst_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_path={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}]"
          }
        }
      }
    },
    "causes": [
      "invalid composite mappings for [simulate_template_lizn5gfhqocntit6-0eefg]",
      "Failed to parse mapping [_doc]: Root mapping definition has unsupported parameters:  [mappings : {dynamic_templates=[], properties={icmp_type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request={type=text, fields={keyword={ignore_above=256, type=keyword}}}, agent={type=text, fields={keyword={ignore_above=256, type=keyword}}}, client_ip_leased={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message_raw={type=text, fields={keyword={ignore_above=256, type=keyword}}}, type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dst_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_proto={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, protocol={type=text, fields={keyword={ignore_above=256, type=keyword}}}, timestamp_unix={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_meth={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @version={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_gateway={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_subnet_mask={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, action={type=text, fields={keyword={ignore_above=256, type=keyword}}}, syslog_pri={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_server_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, geoip={dynamic=true, type=object, properties={ip={type=ip}, latitude={type=half_float}, location={type=geo_point}, longitude={type=half_float}}}, dhcp_client_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host_title={type=text, fields={keyword={ignore_above=256, type=keyword}}}, tags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @timestamp={type=date}, dst_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_path={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}]",
      "Root mapping definition has unsupported parameters:  [mappings : {dynamic_templates=[], properties={icmp_type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request={type=text, fields={keyword={ignore_above=256, type=keyword}}}, agent={type=text, fields={keyword={ignore_above=256, type=keyword}}}, client_ip_leased={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message_raw={type=text, fields={keyword={ignore_above=256, type=keyword}}}, type={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dst_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_proto={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_ip={type=text, fields={keyword={ignore_above=256, type=keyword}}}, protocol={type=text, fields={keyword={ignore_above=256, type=keyword}}}, timestamp_unix={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_meth={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @version={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_gateway={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_subnet_mask={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, action={type=text, fields={keyword={ignore_above=256, type=keyword}}}, syslog_pri={type=text, fields={keyword={ignore_above=256, type=keyword}}}, dhcp_server_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, mx_external_src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, geoip={dynamic=true, type=object, properties={ip={type=ip}, latitude={type=half_float}, location={type=geo_point}, longitude={type=half_float}}}, dhcp_client_mac={type=text, fields={keyword={ignore_above=256, type=keyword}}}, message={type=text, fields={keyword={ignore_above=256, type=keyword}}}, host_title={type=text, fields={keyword={ignore_above=256, type=keyword}}}, tags={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_host={type=text, fields={keyword={ignore_above=256, type=keyword}}}, src_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, @timestamp={type=date}, dst_port={type=text, fields={keyword={ignore_above=256, type=keyword}}}, request_path={type=text, fields={keyword={ignore_above=256, type=keyword}}}}}]"
    ]
  }
}

Rios · May 2, 2022, 6:22pm

Here is your template

PUT _index_template/templname
{

  "index_patterns": [
    "indexname*"
  ],
  "template": {
      "mappings": {
        "dynamic": true,
        "_source": {
          "enabled": true,
          "includes": [],
          "excludes": []
        },
        "_routing": {
          "required": false
        },
        "dynamic_templates": [],
        "properties": {
          "@timestamp": {
            "type": "date"
          },
          "@version": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "BASE10NUM": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "action": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "client_ip_leased": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "dhcp_client_mac": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "dhcp_gateway": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "dhcp_server_mac": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "dhcp_subnet_mask": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "dst_ip": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "dst_port": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "facility": {
            "type": "long"
          },
          "facility_label": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "geoip": {
            "type": "object",
            "dynamic": true,
            "properties": {
              "ip": {
                "type": "ip"
              },
              "latitude": {
                "type": "half_float"
              },
              "location": {
                "type": "geo_point"
              },
              "longitude": {
                "type": "half_float"
              }
            }
          },
          "host": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "host_title": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "icmp_type": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "message": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "message_raw": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "mx_external_src_ip": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "mx_external_src_port": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "priority": {
            "type": "long"
          },
          "protocol": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "request": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "severity": {
            "type": "long"
          },
          "severity_label": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "src_ip": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "src_mac": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "src_port": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "syslog_pri": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "tags": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "timestamp_unix": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          },
          "type": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256
              }
            }
          }
        }
      }
  }
}

joshn · May 2, 2022, 8:29pm

Super that did it - thanks!

system · May 30, 2022, 8:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.