Add geo.region_iso_code

[webmat]

The basic GeoIP plugin provides this information when available, we should add it to ECS.

Note that I think there's more to add in the geo field set, but this one is straightforward.

[ruflin]

Can you open a PR?

[octocat-mona]

Also country_name is missing, shouldn't all fields from the Geoip Processor be added to the geo object?

[octocat-mona]

@ruflin Would you accept a PR including all fields from the GeoLite2 City + Country database?
I think the description of the fields are documented here.

[webmat]

I already feel like the field names are too tied to Geolite's database naming. I'm not sure we should add 100% of the fields as the canonical names in ECS just yet. Not sure if it's going to come to this eventually, but for now let's add the most canonical names only.

Note that this doesn't prevent you from saving all of the geolite fields in your indices.

[octocat-mona]

I don't need all of them atm, but it would be nice to have them included at some point or define standardized names which the GeoIP plugin should also use by default.

If country_name could be added at least that would be nice 😉

[webmat]

Yes, totally agree. It's on my short list to flesh out geo a bit. I agree we're missing a few pretty basic fields.

Any other that bug you, other than country_name or region_iso_code?

[octocat-mona]

No, just those would be fine for me 👍