i have ELK parsing our firewall logs - everything is working we are saving a ton of $$$ as we dont have to pay splunk to index the 6-8gb a day.
Now i want more, and add the blueliv threat feed to "enrich" my log data in order to create dashboards that will show any connections from my network - data from my logs containing ip adr with data in the blueliv feed containing malicious ips.
i know there is a issue about syncing that i have to watch out for, as the bluelive feed is on a hourly update and my fw log data is being streamed continuously. to get around this i will set the viz to update on an hourly rate.
how would i merge these essentially to seperate datasets/indexes is that even possible in ES or is this something i have to address in logstash