How does the new (7.14+) GeoIP Processor Work?

Hi,

In 7.14+ Elasticsearch enabled the GeoIP downloader and made the DB reloadable. But I was wondering how does this actually work. Looking at the docs, it seems like all this process does now is download the DB file, read that DB file into an index, then use an abstracted enrich processor. Is this correct, or is this process different?

Hi @BenB196

Generally your understanding is correct, the downloader etc was created to meet the new license requirements for MaxMind GeoLite2 database which requires that the DB is kept up to date. Also it is a separate piece of code than the normal enrich processor but in the broadest sense yes it is "enriching".

Thanks @stephenb, two follow-up questions.

1. Does it have the same performance as a regular enrich processor, or is it more performant?
2. It appears that most of the GeoIP stuff is roughly hard-coded to only really work with MaxMind stuff. Are there any plans to genericize this to support other downloadable files from other endpoints, as well as support other fields?
   • The reason I ask this is because right now, if I want to load a file into Elasticsearch to be used as in enrich processor, I need to effectively do something like: Logstash/Filebeat -> Elasticsearch -> Figure out some way to call enrich update API. It'd be nice to have something more natively supported in Elasticsearch.

1. Yes I suspect it has as good or better than regular Enrich.

Not as far as I know, but please feel free to file a feature enhancement.

Thanks for the information on this @stephenb

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.