Hbase enrichments and geo enrichments are done in parallel so I would not expect this to work. You could do the Hbase enrichment as a threat Intel enrichment and that should work because enrichments and threat Intel are done in series.
The ideal way would be to chain together Stellar enrichments but I don't think there is a geo enrichment function created yet. I think that should be a Jira. I know someone is working on an update to how we do geo enrichments so I will file a follow on Jira if it's not included in the scope of that work. Ryan > On Jan 8, 2017, at 2:31 PM, Dima Kovalyov <[email protected]> wrote: > > Is it possible to enrich enrichment? > > For example I have IP address, I enrich it with geo and get City name, > now I want to enrich City name with city crime level (assume I have that > data). But when I do that it just does not work. I specify enrichment > like that: >> { >> "index" : "msexchange", >> "batchSize" : 5, >> "enrichment" : { >> "fieldMap" : { >> "geo" : [ "destination_ip", "source_ip" ], >> "hbaseEnrichment" : [ "enrichments.geo.destination_ip.country" ], >> "hbaseEnrichment" : [ "enrichments:geo:destination_ip:country" ], >> "hbaseEnrichment" : [ "enrichments.geo.destination_ip:country" ] >> }, >> "fieldToTypeMap" : { >> "enrichments.geo.destination_ip.country" : [ "city_crime_level" ], >> "enrichments:geo:destination_ip:country" : [ "city_crime_level" ], >> "enrichments.geo.destination_ip:country" : [ "city_crime_level" ] >> }, >> "config" : { } >> }, >> "threatIntel" : { >> "fieldMap" : { }, >> "fieldToTypeMap" : { }, >> "config" : { }, >> "triageConfig" : { >> "riskLevelRules" : { }, >> "aggregator" : "MAX", >> "aggregationConfig" : { } >> } >> }, >> "configuration" : { } >> } > I tried all the ways how enrichment field can be entered just to be sure > I do not mistype it. > > - Dima
