Enrich processor
The Enrich processor adds data from an existing enrich policy to incoming documents during processing. Use it to look up and append supplemental data, such as geographic coordinates from an IP address or account details from a user ID, without modifying the original source.
Before using the enrich processor, you must have at least one enrich policy configured in Elasticsearch. Refer to Enrich your data for setup instructions.
To enrich documents:
- Select Create → Create processor.
- Select Enrich from the Processor menu.
- Select an Enrich policy from the list of available policies.
- Set Target field to the field where the enriched data is stored.
This functionality uses the Elasticsearch Enrich processor internally, but you configure it in Streamlang. Streamlang doesn't always have 1:1 parity with the ingest processor options and behavior. Refer to Processor limitations and inconsistencies.
In YAML mode, configure the enrich processor using the following parameters. For the complete Streamlang syntax, refer to the Streamlang reference.
| Parameter | Type | Required | Description |
|---|---|---|---|
policy_name |
string | Yes | The name of the enrich policy to use. |
to |
string | Yes | Target field for the enriched data. |
override |
boolean | No | When true, overwrite pre-existing non-null field values. Defaults to true. |
ignore_missing |
boolean | No | When true, skip this processor if the source field is missing. |
- action: enrich
policy_name: ip_location
to: attributes.geo
override: true