But, since you're only using countries, my earlier suggestions might be out of scope for this.
I like @stephenb's idea of using the enrich processor for this. But countries can be referred to by many different names (e.g. Vietnam, Viet Nam, Socialist Republic of Vietnam, ...). The gazetteer data from Geonames has places names, centroids, and alternative names. Perhaps you can ingest the country names and centroids from geonames into Elasticsearch. I would put the country name and all alternative names into a single keyword field. Then we can use this with an enrich policy to add the locations to your logs at ingest.
I copied and pasted a test from my own Kibana console as an example below.
PUT geonames-countries
PUT geonames-countries/_mapping
{
"properties": {
"name": {
"type": "keyword"
},
"location": {
"type": "geo_point"
}
}
}
PUT geonames-countries/_doc/1
{
"name": ["Vietnam", "Viet Nam", "Socialist Republic of Vietnam"],
"location": [108.533936,13.370915]
}
GET geonames-countries/_search
{
"query": {
"term": {
"name": {
"value": "Viet Nam"
}
}
}
}
PUT _enrich/policy/country_centroids
{
"match": {
"indices": "geonames-countries",
"match_field": "name",
"enrich_fields": ["location"]
}
}
POST _enrich/policy/country_centroids/_execute
POST _ingest/pipeline/_simulate?verbose=false
{
"pipeline": {
"processors": [
{
"enrich": {
"policy_name": "country_centroids",
"field": "country_name",
"target_field": "location"
}
}
]
},
"docs": [
{
"_index": "my-logs-index",
"_type": "_doc",
"_id": "foo",
"_source": {
"country_name": "Viet Nam"
}
}
]
}