[Suggestion] Runtime fields and enriching

Elastic Stack Elasticsearch
1

Hey,

I've been playing around with runtime fields, and the feature is looking promising.

Something that's not possible right now, but I think would be very helpful:
The ability to use enrich policies with runtime fields. For example, I have an enrich policy that translates IPs to internal subnet names. It would be great to be able to apply this ad-hoc to any index that has internal IPs, using runtime fields.

This would come close to run-time joining of data using native Elasticsearch features, and would bring more feature parity with query languages like Splunks SPL or Microsofts Kusto.

Maybe more generically, the runtime fields feature could be extended to support applying any ingest processor at runtime, without having to reindex?

1 Like
2

Thanks heaps for trying the feature out, and doubly so for providing the feedback!

I will pass this on, but I would also encourage you to create a GitHub issue with this, as that's more likely to get comments from the Product and Eng teams :slight_smile:

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.