Geolocation (Geo) Sub-Fields
The geo sub-fields represent geolocation attributes derived from IP addresses or other location-bearing data associated with entities described elsewhere in the event. These fields are not standalone entities; they are appended to top-level entity names to express location-specific properties, such as source_geo_city or destination_geo_country.
Geo fields apply to entities that carry network or host addressing context, including source, destination, and host. They are typically populated through IP geolocation enrichment and describe the physical or administrative location associated with the entity at the time of the event.
Common applications include:
- Identifying the geographic origin or destination of network connections for threat detection and investigation.
- Enriching events with country, region, and city context to support geographically scoped analytics and dashboards.
- Deriving location-based signals for behavioral baselining and anomaly detection.
Each field in this group corresponds to a specific level of geographic resolution or representation:
geo_city- The city associated with the resolved location.geo_continent- The continent associated with the resolved location.geo_country- The full country name associated with the resolved location.geo_country_iso- The ISO 3166-1 alpha-2 country code.geo_coordinates- Latitude and longitude as a comma-separated string.geo_name- A human-readable location label, optionally derived by combining other geo values.geo_state- The state, province, or equivalent administrative subdivision.
| field | field_type | description | example_values |
|---|---|---|---|
|
geo_city |
keyword |
City name associated with the resolved geolocation. |
Hamburg, Houston |
|
geo_continent |
keyword |
Continent name associated with the resolved geolocation. |
America |
|
geo_coordinates |
keyword |
Latitude and longitude of the resolved geolocation, expressed as a comma-separated decimal coordinate pair. |
34.1186,-118.3004 |
|
geo_country |
keyword |
Full country name associated with the resolved geolocation. |
USA, Canada |
|
geo_country_iso |
keyword |
ISO 3166-1 alpha-2 country code associated with the resolved geolocation. |
US, DE, CA |
|
geo_name |
keyword |
Human-readable location label associated with the resolved geolocation. May be derived by combining other geo field values. |
Hamburg, DE |
|
geo_state |
keyword |
State, province, or equivalent administrative subdivision associated with the resolved geolocation. |
Hamburg |
