We have moved our Logstash indices to data stream recently but are having issues with the geopoints. As a result, the geofencing for everything including the Elastic agents are broken. At first there was the error:
Pipeline error {:pipeline_id=>"network_logs", :exception=>#<LogStash::ConfigurationError: GeoIP Filter in ECS-Compatiblity mode requires a
target
whensource
is not anip
sub-field, eg. [client][ip]>
But ECS compatibility has been disabled for the two IP variables while the rest is v8 compatible:
filter {
if [source.ip] =~ /^192.168.1.*$/ {
mutate {
add_field => [ "source.geo.location", "41.12, -71.34" ]
}
geoip {
source => "destination.ip"
ecs_compatibility => disabled
}
mutate {
add_field => [ "destination.geo.location", "%{[geoip][latitude]}, %{[geoip][longitude]}" ]
}
}
if [destination.ip] =~ /^192.168.1.*$/ {
mutate {
add_field => [ "destination.geo.location", "41.12, -71.34" ]
}
geoip {
source => "source.ip"
ecs_compatibility => disabled
}
mutate {
add_field => [ "source.geo.location", "%{[geoip][latitude]}, %{[geoip][longitude]}" ]
}
}
}
Is it possible to edit the filter so that the source.ip and destination.ip would be compliant with ECS without the ‘target’ error so that the map works properly again?