How does the new (7.14+) GeoIP Processor Work?

BenB196 · November 23, 2021, 2:09pm

Hi,

In 7.14+ Elasticsearch enabled the GeoIP downloader and made the DB reloadable. But I was wondering how does this actually work. Looking at the docs, it seems like all this process does now is download the DB file, read that DB file into an index, then use an abstracted enrich processor. Is this correct, or is this process different?

stephenb · November 23, 2021, 3:45pm

Hi @BenB196

Generally your understanding is correct, the downloader etc was created to meet the new license requirements for MaxMind GeoLite2 database which requires that the DB is kept up to date. Also it is a separate piece of code than the normal enrich processor but in the broadest sense yes it is "enriching".

BenB196 · November 23, 2021, 4:37pm

Thanks @stephenb, two follow-up questions.

Does it have the same performance as a regular enrich processor, or is it more performant?
It appears that most of the GeoIP stuff is roughly hard-coded to only really work with MaxMind stuff. Are there any plans to genericize this to support other downloadable files from other endpoints, as well as support other fields?
- The reason I ask this is because right now, if I want to load a file into Elasticsearch to be used as in enrich processor, I need to effectively do something like: Logstash/Filebeat -> Elasticsearch -> Figure out some way to call enrich update API. It'd be nice to have something more natively supported in Elasticsearch.

stephenb · November 23, 2021, 4:47pm

Yes I suspect it has as good or better than regular Enrich.

Not as far as I know, but please feel free to file a feature enhancement.

BenB196 · November 23, 2021, 6:00pm

Thanks for the information on this @stephenb

system · December 21, 2021, 6:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.