In our environment we have custom logs coming in of which a remote IP is ingested to a field called
remoteAddr. In our ingest pipeline we're using a GeoIP processor which we use the source field
remoteAddr to the target field
remoteAddrGeoIP. This then creates the following fields upon ingestion:
remoteAddrGeoIP.city_name remoteAddrGeoIP.continent_name remoteAddrGeoIP.country_iso_code remoteAddrGeoIP.country_name remoteAddrGeoIP.location.lat remoteAddrGeoIP.location.lon remoteAddrGeoIP.region_iso_code remoteAddrGeoIP.region_name
This almost works as expected with the exception that I'm not sure why the Geo-point field
remoteAddrGeoIP.location is "missing". There's a possibility to join the
remoteAddrGeoIP.location.lon onto the
remoteAddrGeoIP.location field, but I'm unsure whether that is the best practice method. I've also tried mapping
remoteAddrGeoIP as a nested field with
remoteAddrGeoIP.location as a child Geo-point field in the index template without success.
remoteAddrGeoIP.location.lon fields should be in the
remoteAddrGeoIP.location [Geo-point field] as well/instead.