Is it possible to enrich enrichment?
For example I have IP address, I enrich it with geo and get City name,
now I want to enrich City name with city crime level (assume I have that
data). But when I do that it just does not work. I specify enrichment
like that:
> {
> "index" : "msexchange",
> "batchSize" : 5,
> "enrichment" : {
> "fieldMap" : {
> "geo" : [ "destination_ip", "source_ip" ],
> "hbaseEnrichment" : [ "enrichments.geo.destination_ip.country" ],
> "hbaseEnrichment" : [ "enrichments:geo:destination_ip:country" ],
> "hbaseEnrichment" : [ "enrichments.geo.destination_ip:country" ]
> },
> "fieldToTypeMap" : {
> "enrichments.geo.destination_ip.country" : [ "city_crime_level" ],
> "enrichments:geo:destination_ip:country" : [ "city_crime_level" ],
> "enrichments.geo.destination_ip:country" : [ "city_crime_level" ]
> },
> "config" : { }
> },
> "threatIntel" : {
> "fieldMap" : { },
> "fieldToTypeMap" : { },
> "config" : { },
> "triageConfig" : {
> "riskLevelRules" : { },
> "aggregator" : "MAX",
> "aggregationConfig" : { }
> }
> },
> "configuration" : { }
> }
I tried all the ways how enrichment field can be entered just to be sure
I do not mistype it.
- Dima
