AbuseCH and enrichment on custom pipeline

ramiwashere · January 4, 2023, 3:19pm

Hi there,

I have a simple question about abuseCH integration and field enrichment of abuseCH to an other index.
When a create my enrich policy, I don't have an error:

PUT /_enrich/policy/abusechurl-enrich-policy
 {
  "match": {
    "indices": "logs-ti_abusech.url-*",
    "match_field": "threat.indicator.ip",
    "enrich_fields": ["threat.indicator.ip", "abusech.url.blacklists.spamhaus_dbl", "abusech.url.blacklists.surbl", "threat.indicator.provider", "abusech.url.tags"]
  }
}

Then, when I want to create my enrichmnent processor on the other custom pipeline , here is the error:

It looks like there is no index but the policy creation find the index.

Do anyone struggle on this steps and finally find the key ?
Thank you

ebeahan · January 5, 2023, 5:53pm

Have you executed the enrich policy before adding the enrichment process to the custom pipeline: Set up an enrich processor | Elasticsearch Guide [8.5] | Elastic?

ramiwashere · January 6, 2023, 1:29pm

Hello @ebeahan ,

Indeed, I didn't execute the policy.
It work now

Thank you

system · February 3, 2023, 1:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enrich processor is sometimes not enriching Elasticsearch ingest-pipeline	2	386	January 13, 2023
Enrich processor debug statements Elasticsearch ingest-pipeline	2	527	June 10, 2021
Pipeline Enrichment with Geo-Points Elastic Search	1	133	July 17, 2024
Enrich processor missing some documents Elasticsearch ingest-pipeline	5	1304	February 27, 2022
Use Enrich policy and enrich pipeline processor to check secondary index and update a value Elasticsearch ingest-pipeline	2	573	March 22, 2021

AbuseCH and enrichment on custom pipeline

Related topics