Re: Enable geo enrichment

Mon, 16 Oct 2017 11:52:44 -0700 

You could do something like this in your sensor enrichment config:

{ "enrichment": {
  "fieldMap": {
    "stellar": {
      "config": {
        "src_geo": "GEO_GET(ip_src_addr)",
        "dst_geo": "GEO_GET(ip_dst_addr)"
      }
    }
  }
}

You would then just need to update the elasticsearch index template you're
using to include *_geo:<field_name> as part of the dynamic_templates
section so they are properly indexed. For example:

"dynamic_templates": [
  { "geo_location_point": {
    "match": "*_geo:location_point",
    "match_mapping_type": "*",
    "mapping": {
      "type": "geo_point"
    }
  }
]

-Kyle

On Mon, Oct 16, 2017 at 12:14 PM, Laurens Vets <[email protected]> wrote:

> How would you go about getting all geo information with GEO_GET and
> putting it in separate fields? For instance, GEO_GET for "ip := '1.2.3.4'"
> returns:
>
> [Stellar]>>> GEO_GET(if IS_IP(ip) then ip else NULL)
> {country=US, dmaCode=819, city=Mukilteo, postalCode=98275,
> latitude=47.913, location_point=47.913,-122.3042, locID=5804306,
> longitude=-122.3042}
> [Stellar]>>>
>
> How can I map those values to new fields in my events? If that makes
> senses?
>
> On 2017-10-05 14:59, Justin Leet wrote:
>
> There is also a Stellar function for doing geo lookups.
> http://metron.apache.org/current-book/metron-stellar/stellar-common/index.
> html#GEO_GET It'll return a map of the fields when given an IP.
>
> On Thu, Oct 5, 2017 at 5:37 PM, Simon Elliston Ball <
> [email protected]> wrote:
>
>> And incase your install didn't pick up the latest geo database (or you
>> want to update it, the bottom of http://metron.apache.org/cu
>> rrent-book/metron-platform/metron-data-management/index.html gives you
>> the relevant info.
>>
>>
>> On 5 Oct 2017, at 22:36, Simon Elliston Ball <[email protected]>
>> wrote:
>>
>> http://metron.apache.org/current-book/metron-platform/metron
>> -enrichment/index.html
>>
>> Shows you how to configure geo enrichment.
>>
>> Simon
>>
>> On 5 Oct 2017, at 22:33, Laurens Vets <[email protected]> wrote:
>>
>> What's the quickest way to enable geo enrichment on a source ip address
>> in 0.4.1-release? Is there a simple document somewhere with instructions?
>>
>>

Reply via email to