Thanks Mark,
I don't see any types that = "geo_point" so I assume I must set this but from that I assume I must also change the template so that it is set on a permanent basis?
Is there a curl "put" to modify the existing indices and where would I then change template?
Here is the output from the _mapping:
{"syslog-2016.07.04":{"mappings":{"syslog":{"properties":{"@timestamp":{"type":"date","format":"strict_date_optional_time||epoch_millis"},"@version":{"type":"string"},"dest_IP":{"type":"string"},"dst_addr":{"type":"string"},"dst_port":{"type":"string"},"from_zone":{"type":"string"},"geoip":{"properties":{"area_code":{"type":"long"},"city_name":{"type":"string"},"continent_code":{"type":"string"},"coordinates":{"type":"double"},"country_code2":{"type":"string"},"country_code3":{"type":"string"},"country_name":{"type":"string"},"dma_code":{"type":"long"},"ip":{"type":"string"},"latitude":{"type":"double"},"location":{"type":"double"},"longitude":{"type":"double"},"postal_code":{"type":"string"},"real_region_name":{"type":"string"},"region_name":{"type":"string"},"timezone":{"type":"string"}}},"host":{"type":"string"},"message":{"type":"string"},"policy_name":{"type":"string"},"protocol_id":{"type":"string"},"received_at":{"type":"date","format":"strict_date_optional_time||epoch_millis"},"received_from":{"type":"string"},"service":{"type":"string"},"src_IP":{"type":"string"},"src_addr":{"type":"string"},"src_port":{"type":"string"},"syslog_hostname":{"type":"string"},"syslog_message":{"type":"string"},"syslog_pid":{"type":"string"},"syslog_pri":{"type":"string"},"syslog_program":{"type":"string"},"syslog_timestamp":{"type":"string"},"to_zone":{"type":"string"},"type":{"type":"string"}}}}}}