Configure Organization Enrichment By Using CLI

As an alternative to using the CCP Management user interface to map fields to HBase enrichment, you can use the CLI.

  1. Edit the new data source enrichment configuration at $METRON_HOME/config/zookeeper/enrichments/$DATASOURCE to associate the ip_src_addr with the user enrichment:
      "index" : "squid",
      "batchSize" : 1,
      "enrichment" : {
        "fieldMap" : {
          "hbaseEnrichment" : [ "ip_src_addr" ]
        "fieldToTypeMap" : {
          "ip_src_addr" : [ "whois" ]
        "config" : { }
      "threatIntel" : {
        "fieldMap" : { },
        "fieldToTypeMap" : { },
        "config" : { },
        "triageConfig" : {
          "riskLevelRules" : { },
          "aggregator" : "MAX",
          "aggregationConfig" : { }
      "configuration" : { }
  2. Push this configuration to ZooKeeper:
    $METRON_HOME/bin/ -m PUSH -z $ZOOKEEPER_HOST:2181 -i $METRON_HOME/zookeeper

After you finish enriching telemetry events, you should ensure that the enriched data is displaying on the Metron dashboard.