Geo fields
Elastic Stack Serverless
Geo fields can carry data about a specific location related to an event.
This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
| Field | Description | Level |
|---|---|---|
| geo.city_name | City name. type: keyword example: Montreal  geo.locality.name |
core |
| geo.continent_code | Two-letter code representing continent’s name. type: keyword example: NA geo.continent.code |
core |
| geo.continent_name | Name of the continent. type: keyword example: North America |
core |
| geo.country_iso_code | Country ISO code. type: keyword example: CA geo.country.iso_code |
core |
| geo.country_name | Country name. type: keyword example: Canada |
core |
| geo.location | Longitude and latitude. type: geo_point example: { "lon": -73.614830, "lat": 45.505918 }  geo.location.lat geo.location.lon |
core |
| geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. type: keyword example: boston-dc |
extended |
| geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. type: keyword example: 94040  geo.postal_code |
core |
| geo.region_iso_code | Region ISO code. type: keyword example: CA-QC geo.region.iso_code |
core |
| geo.region_name | Region name. type: keyword example: Quebec |
core |
| geo.timezone | The time zone of the location, such as IANA time zone name. type: keyword example: America/Argentina/Buenos_Aires |
core |
The geo fields are expected to be nested at:
client.geodestination.geohost.geoobserver.geoserver.geosource.geothreat.enrichments.indicator.geothreat.indicator.geo
Note also that the geo fields are not expected to be used directly at the root of the events.