Maybe the naming of the phases is misleading? What if you could set up an arbitrary number of stages, with defaults?
On January 8, 2017 at 16:25:01, Casey Stella ([email protected]) wrote: You could do the geo enrichment normally and do a stellar hbase enrichment in the threat Intel phase. On Sun, Jan 8, 2017 at 16:22 Ryan Merriman <[email protected]> wrote: > Hbase enrichments and geo enrichments are done in parallel so I would not > expect this to work. You could do the Hbase enrichment as a threat Intel > enrichment and that should work because enrichments and threat Intel are > done in series. > > > > The ideal way would be to chain together Stellar enrichments but I don't > think there is a geo enrichment function created yet. I think that should > be a Jira. I know someone is working on an update to how we do geo > enrichments so I will file a follow on Jira if it's not included in the > scope of that work. > > > > Ryan > > > > > On Jan 8, 2017, at 2:31 PM, Dima Kovalyov <[email protected]> > wrote: > > > > > > Is it possible to enrich enrichment? > > > > > > For example I have IP address, I enrich it with geo and get City name, > > > now I want to enrich City name with city crime level (assume I have that > > > data). But when I do that it just does not work. I specify enrichment > > > like that: > > >> { > > >> "index" : "msexchange", > > >> "batchSize" : 5, > > >> "enrichment" : { > > >> "fieldMap" : { > > >> "geo" : [ "destination_ip", "source_ip" ], > > >> "hbaseEnrichment" : [ "enrichments.geo.destination_ip.country" ], > > >> "hbaseEnrichment" : [ "enrichments:geo:destination_ip:country" ], > > >> "hbaseEnrichment" : [ "enrichments.geo.destination_ip:country" ] > > >> }, > > >> "fieldToTypeMap" : { > > >> "enrichments.geo.destination_ip.country" : [ "city_crime_level" ], > > >> "enrichments:geo:destination_ip:country" : [ "city_crime_level" ], > > >> "enrichments.geo.destination_ip:country" : [ "city_crime_level" ] > > >> }, > > >> "config" : { } > > >> }, > > >> "threatIntel" : { > > >> "fieldMap" : { }, > > >> "fieldToTypeMap" : { }, > > >> "config" : { }, > > >> "triageConfig" : { > > >> "riskLevelRules" : { }, > > >> "aggregator" : "MAX", > > >> "aggregationConfig" : { } > > >> } > > >> }, > > >> "configuration" : { } > > >> } > > > I tried all the ways how enrichment field can be entered just to be sure > > > I do not mistype it. > > > > > > - Dima > >
