graphaelli/setup.txt

## setup.txt
DELETE block_ip
PUT block_ip
{
  "mappings": {
    "properties": {
      "source": {
        "properties": {
          "ip": {
            "type": "ip"
          }
        }
      },
      "drop": {
        "type": "boolean"
      }
    }
  }
}
POST block_ip/_doc/172.18.0.8
{
  "source": {"ip": "172.18.0.8"},
  "drop": true
}

PUT /_enrich/policy/block-ip-policy
{
    "match": {
        "indices": "block_ip",
        "match_field": "source.ip",
        "enrich_fields": ["drop"]
    }
}
POST /_enrich/policy/block-ip-policy/_execute

## test
POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "enrich": {
          "policy_name": "block-ip-policy",
          "field": "source.ip",
          "target_field": "_action"
        }
      },
      {
        "drop": {
          "if": "ctx._action != null && ctx._action.drop"
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "source": {
          "ip": "172.18.0.8"
        }
      }
    }
  ]
}
	DELETE block_ip
	PUT block_ip
	{
	"mappings": {
	"properties": {
	"source": {
	"properties": {
	"ip": {
	"type": "ip"
	}
	}
	},
	"drop": {
	"type": "boolean"
	}
	}
	}
	}
	POST block_ip/_doc/172.18.0.8
	{
	"source": {"ip": "172.18.0.8"},
	"drop": true
	}

	PUT /_enrich/policy/block-ip-policy
	{
	"match": {
	"indices": "block_ip",
	"match_field": "source.ip",
	"enrich_fields": ["drop"]
	}
	}
	POST /_enrich/policy/block-ip-policy/_execute
	POST _ingest/pipeline/_simulate
	{
	"pipeline": {
	"processors": [
	{
	"enrich": {
	"policy_name": "block-ip-policy",
	"field": "source.ip",
	"target_field": "_action"
	}
	},
	{
	"drop": {
	"if": "ctx._action != null && ctx._action.drop"
	}
	}
	]
	},
	"docs": [
	{
	"_source": {
	"source": {
	"ip": "172.18.0.8"
	}
	}
	}
	]
	}