My elk setup leverages filebeats and logstash, based on this
Standard visualization runs and I was able to use logstash conditions to add
[geoip][location][latitude] and [geoip][location][longitude] , with help from here
--> all relevant events have these above fields added and populated with expected values =)
when I run " curl -XGET http://127.0.0.1:9200/_aliases?pretty=true "
I see the several filebeat-6.8.5-<datestamp> indexes.
can someone walk me through how I'm supposed to add the geoip property to my index mapping?
I was told to look into index template, but I'm lost..
reading into what looks to be a logstash template with geoip and this doc that goes over adding custom geoip field to filebeat
not sure if all I need is to figure out how to add this section into template:
"properties" : {
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}
}