You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It was suggested awhile back that we move that topic to libbeat, make it more generic, and include the topic in the docs for all beats. When I started thinking about where it would make sense to include the topic, though, I realized that our modules (with the pre-built ingest pipelines) take care of a lot of the places where users want to include geoip info. I'm concerned that adding the topic to the docs for all the Beats might actually confuse, rather than help, our users.
Why?
If we make the content more generic so that it works for all Beats, it's going to be less specific for Packetbeat users who do need to define a pipeline to populate the map in the Packetbeat overview dashboard. Right now, we document the exact fields that users need to populate, and those fields won't make sense for other Beats. I can add conditionals to provide different info for Packetbeat, but as we know, that makes the source harder to maintain. Striking this out because I made the changes in Make geoip steps generic and move to libbeat #10947 and don't think this is actually a problem
If we add the content to all the Beats, novice users who are using modules might be confused by the topic and think they need to define the ingest pipeline.
We will need to document how to add the new field to the index template so that it gets indexed as a geo_point. I think that's still somewhat of an advanced task (not sure we want users modifying the template unless they have to). We probably should document how to do that, but the last time I asked around, there was a feeling that we don't want users modifying the index template because they can break dashboards. TBH, I don't know if that's still true.
The text was updated successfully, but these errors were encountered:
Note that I've started a PR to show what the changes will look like. I haven't added the content to the docs for all the Beats, though, because I want to make sure we want to do this before I move forward.
Right now the topic about exporting GeoIP info lives in the Packetbeat docs only: https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-geoip.html
It was suggested awhile back that we move that topic to libbeat, make it more generic, and include the topic in the docs for all beats. When I started thinking about where it would make sense to include the topic, though, I realized that our modules (with the pre-built ingest pipelines) take care of a lot of the places where users want to include geoip info. I'm concerned that adding the topic to the docs for all the Beats might actually confuse, rather than help, our users.
Why?
If we make the content more generic so that it works for all Beats, it's going to be less specific for Packetbeat users who do need to define a pipeline to populate the map in the Packetbeat overview dashboard. Right now, we document the exact fields that users need to populate, and those fields won't make sense for other Beats. I can add conditionals to provide different info for Packetbeat, but as we know, that makes the source harder to maintain.Striking this out because I made the changes in Make geoip steps generic and move to libbeat #10947 and don't think this is actually a problemThe text was updated successfully, but these errors were encountered: