Skip to content

Respect flexible field access pattern in geoip and ip_location processors #138728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Respect flexible field access pattern in geoip and ip_location processors #138728

wants to merge 3 commits into from
+761 −2

Conversation

@flash1293
Copy link
Contributor

@flash1293 flash1293 commented Nov 27, 2025
edited
Loading

Currently in flexible field access mode, the geoip processor writes such an object:

{
  "geoip": {
    "field": "ip",
    "target_get": "my.field"
  }
}

results in

{
  "my.field": {
     "city": "...",
     "country": "...",
     "location": {
        "lat": "...",
        "lon": "..."
     }
  }
}

This is problematic because we go from dotted to subobject, which means that in subsequent processing steps, e.g. my.field.country can't be accessed anymore.

To align things, in flexible field access mode the geoip processor now writes the individual parts as individual properties:

{
  "my.field.city: "...",
  "my.field.country": "...",
   "my.field.location": {
     "lat": "...",
     "lon": "..."
  }
}

Notice how my.field.location would stay in object notation, since we already know for a fact that this is a geopoint, so it's handled as a "single" field.

The same applies to the ip_location processor.

@elasticsearchmachine elasticsearchmachine added v9.3.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Nov 27, 2025
@flash1293 flash1293 changed the title Flattened geo Respect flexible field access pattern in geoip and ip_location processors Nov 27, 2025
@flash1293 flash1293 marked this pull request as ready for review November 27, 2025 16:29
@flash1293 flash1293 requested a review from masseyke November 27, 2025 16:30
@elasticsearchmachine elasticsearchmachine added the needs:triage Requires assignment of a team area label label Nov 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masseyke masseyke Awaiting requested review from masseyke

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

external-contributor Pull request authored by a developer outside the Elasticsearch team needs:triage Requires assignment of a team area label v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@flash1293 @elasticsearchmachine