Verify That the Events Are Enriched
After you finish enriching your new data source, you should verify that the output matches your enrichment information.
By convention, the index where the new messages are indexed is called squid_index_[timestamp] and the document type is squid_doc.
Use the Elasticsearch Head plug-in to verify that the messages display your enrichment information:
Log in to $SEARCH_HOST host:
ssh into Host $SEARCH_HOST
Install the head plug-in: *** Is this necessary the second time? ***
/usr/share/elasticsearch/bin/plugin install mobz/elasticsearch-head/1.x
Navigate to ElasticSearch Head UI:
http://$SEARCH_HOST:9200/_plugin/head/.Click the Browser tab and select the squid document in the left panel; then select one of the sample docs.
You should see something like the following:
Review the output to ensure it reflects the enrichment functions you used.
