Hi,
I'm running an 8.3.2 cluster, and I have an array containing some objects over which I'd like to iterate and enrich with the GeoIP processor, but am having limited success.
I have a foreach processor set up with a geoip processor inside it. The GeoIP processor receives the _ingest._value correctly, but I seemingly cannot add the looked-up information to the current object.
If I set the target_field to simply "geo", the information appears but in the root of the JSON structure, whereas I need it added on a per-iterated-object basis instead.
Is there something that I'm overlooking? Here's a snippet of the document I'm working with:
"answers": [
{
"recordTypeId": 1,
"domainName": "blah.com",
"rData": "123.123.123.1",
"class": 1,
"ttl": 60
}
],
and the processor:
[
{
"foreach": {
"field": "path.to.answers",
"processor": {
"geoip": {
"field": "_ingest._value.rData",
"target_field": "_ingest_value.geo",
"database_file": "GeoLite2-ASN.mmdb",
"properties": [
"asn",
"network"
],
"first_only": false,
"ignore_missing": false
}
}
}
}
]
Thanks in advance!