This doesn't seem to impact geo City/Country databases, and it's not clear that this is something that happens in the GeoIP processor documentation. I haven't closely reviewed this, but visually seems to be the case.
I assume the processor just returns the results from the lookup DB and doesn't touch the structure.
I've now arrived in the state that in our indices we have the ECS AS fields which are empty, and the fields returned by the ASN DB in fields not described by the ECS component templates. Obviously, this is my own fault for not validating this initially, but I feel like we should make it easy for users to conform to the Elastic Common Schema given the benefits.
I propose this should be addressed in one of the following ways;
Add a setting in the GeoIP to store fields in the ECS structure (non-default, non-breaking but requires clarity in documentation)
Return the ASN payload in ECS structure (breaking existing pipelines, undesirable but correct for ECS users)
Make it clear in the GeoIP processor documentation that the ASN payload is not in the Elastic Common Schema (better than no action). Offer example rename processors to put the values in the ECS structure.
Adjust ECS to use the structure in the GeoLite2 DB (undesirable, goes against the idea of ECS being additive)
Description
I've had a quick search through the issues and couldn't find anything related, and not sure if this is a feature request or a bug.
I have just noticed that when using the GeoIP filter with the
GeoLite2-ASN.mmdb
look-up that the returned values are in the structureThis doesn't match the Elastic Common Schema for Autonomous System Fields.
This doesn't seem to impact geo City/Country databases, and it's not clear that this is something that happens in the GeoIP processor documentation. I haven't closely reviewed this, but visually seems to be the case.
I assume the processor just returns the results from the lookup DB and doesn't touch the structure.
I've now arrived in the state that in our indices we have the ECS AS fields which are empty, and the fields returned by the ASN DB in fields not described by the ECS component templates. Obviously, this is my own fault for not validating this initially, but I feel like we should make it easy for users to conform to the Elastic Common Schema given the benefits.
I propose this should be addressed in one of the following ways;