I wanted to show the geolocation of my source.ip data on a map.
I added a geoIP processor to my ingestion pipeline with target field source.geo, so now I get a field source.ip.location.
Initially, I mapped source in dynamic templates in the index mapping, but the field type was not being recognized (it showed in Kibana Discover with a question mark next to it). So I added the following manual mapping to the index:
"source": {
"properties": {
"ip": {
"type": "ip"
},
"geo" :{
"properties": {
"region_iso_code":{
"type" : "keyword"
},
"country_iso_code":{
"type" : "keyword"
},
"location":{
"properties":{
"lat" : {
"type" : "long"
},
"lon" : {
"type" : "long"
}
}
"type" : "object"
}
},
"type" : "object"
}
},
"type": "object"
},
This made the field type appaer as a number in Kibana Discover/Visualize, however, it still didn't appear on Kibana's Security.Network Map.
Then I added source to the index template, and set the location as a geo-point type.
"source": {
"properties": {
"ip": {
"type": "ip"
},
"geo" :{
"properties": {
},
"region_iso_code":{
"type" : "keyword"
},
"country_iso_code":{
"type" : "keyword"
},
"location":{
"type" : "geo_point"
}
},
"type" : "object"
}
},
"type": "object"
},
When the index rolled over to the next one, the source.ip.location started to appear in Kibana's Discover with a red alert sign next to it, saying "analysis is not available for object fields". Needless to say, it still doesn't appear on the map, and now I have a conflict on the map's layer settings:
Data source: Documents
Index pattern: my_index_name
Geospatial field: source.geo.location
Geospatial field: type conflict
Any suggestions on how to get the geo_point data on the map?
