HI,
I found what the problem is. I'm not 100% sure when the change was introduced, possibly 7.17 but if you don't set ecs_compatibility => disabled in your logstash file(filter) you will have conflicting mappings. Basically you end up with mixture of ECS geo mappings and your existing defined mappings.
To resolve this:
filter {
geoip {
source => "[host][ip]"
ecs_compatibility => disabled
}
}
Ref:
https://www.elastic.co/guide/en/logstash/7.17/ecs-ls.html
https://www.elastic.co/guide/en/logstash/current/plugins-filters-geoip.html
thanks for you help
Martin