feat(enrichment tables): add network CIDR field to lookup results (#24576)

* feat(geoip enrichment table): add network CIDR field to lookup results (#24411)

* chore: add changelog fragment for #24411

* docs(geoip enrichment table): add network and Anonymous-IP fields to ENRICHMENT_TABLE_EXPLAINER (#24411)

---------

Co-authored-by: Pavlos Rontidis <pavlos.rontidis@gmail.com>

Author: naa0yama

changelog.d/24411_geoip_network_field.enhancement.md

@@ -0,0 +1,3 @@
+The `geoip` enrichment table now includes a `network` field containing the CIDR network associated with the lookup result, available for all database types (City, ISP/ASN, Connection-Type, Anonymous-IP).
+
+authors: naa0yama

docs/generated/find_enrichment_table_records.json

@@ -2,7 +2,7 @@
   "anchor": "find_enrichment_table_records",
   "name": "find_enrichment_table_records",
   "category": "Enrichment",
-  "description": "Searches an [enrichment table](/docs/reference/glossary/#enrichment-tables) for rows that match the provided condition.\n\nFor `file` enrichment tables, this condition needs to be a VRL object in which\nthe key-value pairs indicate a field to search mapped to a value to search in that field.\nThis function returns the rows that match the provided condition(s). _All_ fields need to\nmatch for rows to be returned; if any fields do not match, then no rows are returned.\n\nThere are three forms of search criteria:\n\n1. **Exact match search**. The given field must match the value exactly. Case sensitivity\n   can be specified using the `case_sensitive` argument. An exact match search can use an\n   index directly into the dataset, which should make this search fairly \"cheap\" from a\n   performance perspective.\n\n2. **Wildcard match search**. The given fields specified by the exact match search may also\n    be matched exactly to the value provided to the `wildcard` parameter.\n    A wildcard match search can also use an index directly into the dataset.\n\n3. **Date range search**. The given field must be greater than or equal to the `from` date\n   and/or less than or equal to the `to` date. A date range search involves\n   sequentially scanning through the rows that have been located using any exact match\n   criteria. This can be an expensive operation if there are many rows returned by any exact\n   match criteria. Therefore, use date ranges as the _only_ criteria when the enrichment\n   data set is very small.\n\nFor `geoip` and `mmdb` enrichment tables, this condition needs to be a VRL object with a single key-value pair\nwhose value needs to be a valid IP address. Example: `{\"ip\": .ip }`. If a return field is expected\nand without a value, `null` is used. This table can return the following fields:\n\n* ISP databases:\n    * `autonomous_system_number`\n    * `autonomous_system_organization`\n    * `isp`\n    * `organization`\n\n* City databases:\n    * `city_name`\n    * `continent_code`\n    * `country_code`\n    * `country_name`\n    * `region_code`\n    * `region_name`\n    * `metro_code`\n    * `latitude`\n    * `longitude`\n    * `postal_code`\n    * `timezone`\n\n* Connection-Type databases:\n    * `connection_type`\n\nTo use this function, you need to update your configuration to\ninclude an\n[`enrichment_tables`](/docs/reference/configuration/global-options/#enrichment_tables)\nparameter.",
+  "description": "Searches an [enrichment table](/docs/reference/glossary/#enrichment-tables) for rows that match the provided condition.\n\nFor `file` enrichment tables, this condition needs to be a VRL object in which\nthe key-value pairs indicate a field to search mapped to a value to search in that field.\nThis function returns the rows that match the provided condition(s). _All_ fields need to\nmatch for rows to be returned; if any fields do not match, then no rows are returned.\n\nThere are three forms of search criteria:\n\n1. **Exact match search**. The given field must match the value exactly. Case sensitivity\n   can be specified using the `case_sensitive` argument. An exact match search can use an\n   index directly into the dataset, which should make this search fairly \"cheap\" from a\n   performance perspective.\n\n2. **Wildcard match search**. The given fields specified by the exact match search may also\n    be matched exactly to the value provided to the `wildcard` parameter.\n    A wildcard match search can also use an index directly into the dataset.\n\n3. **Date range search**. The given field must be greater than or equal to the `from` date\n   and/or less than or equal to the `to` date. A date range search involves\n   sequentially scanning through the rows that have been located using any exact match\n   criteria. This can be an expensive operation if there are many rows returned by any exact\n   match criteria. Therefore, use date ranges as the _only_ criteria when the enrichment\n   data set is very small.\n\nFor `geoip` and `mmdb` enrichment tables, this condition needs to be a VRL object with a single key-value pair\nwhose value needs to be a valid IP address. Example: `{\"ip\": .ip }`. If a return field is expected\nand without a value, `null` is used. This table can return the following fields:\n\n* ISP databases:\n    * `autonomous_system_number`\n    * `autonomous_system_organization`\n    * `isp`\n    * `organization`\n    * `network`\n\n* City databases:\n    * `city_name`\n    * `continent_code`\n    * `country_code`\n    * `country_name`\n    * `region_code`\n    * `region_name`\n    * `metro_code`\n    * `latitude`\n    * `longitude`\n    * `postal_code`\n    * `timezone`\n    * `network`\n\n* Connection-Type databases:\n    * `connection_type`\n    * `network`\n\n* Anonymous-IP databases:\n    * `is_anonymous`\n    * `is_anonymous_vpn`\n    * `is_hosting_provider`\n    * `is_public_proxy`\n    * `is_residential_proxy`\n    * `is_tor_exit_node`\n    * `network`\n\nTo use this function, you need to update your configuration to\ninclude an\n[`enrichment_tables`](/docs/reference/configuration/global-options/#enrichment_tables)\nparameter.",
   "arguments": [
     {
       "name": "table",

docs/generated/get_enrichment_table_record.json

@@ -2,7 +2,7 @@
   "anchor": "get_enrichment_table_record",
   "name": "get_enrichment_table_record",
   "category": "Enrichment",
-  "description": "Searches an [enrichment table](/docs/reference/glossary/#enrichment-tables) for a row that matches the provided condition. A single row must be matched. If no rows are found or more than one row is found, an error is returned.\n\nFor `file` enrichment tables, this condition needs to be a VRL object in which\nthe key-value pairs indicate a field to search mapped to a value to search in that field.\nThis function returns the rows that match the provided condition(s). _All_ fields need to\nmatch for rows to be returned; if any fields do not match, then no rows are returned.\n\nThere are three forms of search criteria:\n\n1. **Exact match search**. The given field must match the value exactly. Case sensitivity\n   can be specified using the `case_sensitive` argument. An exact match search can use an\n   index directly into the dataset, which should make this search fairly \"cheap\" from a\n   performance perspective.\n\n2. **Wildcard match search**. The given fields specified by the exact match search may also\n    be matched exactly to the value provided to the `wildcard` parameter.\n    A wildcard match search can also use an index directly into the dataset.\n\n3. **Date range search**. The given field must be greater than or equal to the `from` date\n   and/or less than or equal to the `to` date. A date range search involves\n   sequentially scanning through the rows that have been located using any exact match\n   criteria. This can be an expensive operation if there are many rows returned by any exact\n   match criteria. Therefore, use date ranges as the _only_ criteria when the enrichment\n   data set is very small.\n\nFor `geoip` and `mmdb` enrichment tables, this condition needs to be a VRL object with a single key-value pair\nwhose value needs to be a valid IP address. Example: `{\"ip\": .ip }`. If a return field is expected\nand without a value, `null` is used. This table can return the following fields:\n\n* ISP databases:\n    * `autonomous_system_number`\n    * `autonomous_system_organization`\n    * `isp`\n    * `organization`\n\n* City databases:\n    * `city_name`\n    * `continent_code`\n    * `country_code`\n    * `country_name`\n    * `region_code`\n    * `region_name`\n    * `metro_code`\n    * `latitude`\n    * `longitude`\n    * `postal_code`\n    * `timezone`\n\n* Connection-Type databases:\n    * `connection_type`\n\nTo use this function, you need to update your configuration to\ninclude an\n[`enrichment_tables`](/docs/reference/configuration/global-options/#enrichment_tables)\nparameter.",
+  "description": "Searches an [enrichment table](/docs/reference/glossary/#enrichment-tables) for a row that matches the provided condition. A single row must be matched. If no rows are found or more than one row is found, an error is returned.\n\nFor `file` enrichment tables, this condition needs to be a VRL object in which\nthe key-value pairs indicate a field to search mapped to a value to search in that field.\nThis function returns the rows that match the provided condition(s). _All_ fields need to\nmatch for rows to be returned; if any fields do not match, then no rows are returned.\n\nThere are three forms of search criteria:\n\n1. **Exact match search**. The given field must match the value exactly. Case sensitivity\n   can be specified using the `case_sensitive` argument. An exact match search can use an\n   index directly into the dataset, which should make this search fairly \"cheap\" from a\n   performance perspective.\n\n2. **Wildcard match search**. The given fields specified by the exact match search may also\n    be matched exactly to the value provided to the `wildcard` parameter.\n    A wildcard match search can also use an index directly into the dataset.\n\n3. **Date range search**. The given field must be greater than or equal to the `from` date\n   and/or less than or equal to the `to` date. A date range search involves\n   sequentially scanning through the rows that have been located using any exact match\n   criteria. This can be an expensive operation if there are many rows returned by any exact\n   match criteria. Therefore, use date ranges as the _only_ criteria when the enrichment\n   data set is very small.\n\nFor `geoip` and `mmdb` enrichment tables, this condition needs to be a VRL object with a single key-value pair\nwhose value needs to be a valid IP address. Example: `{\"ip\": .ip }`. If a return field is expected\nand without a value, `null` is used. This table can return the following fields:\n\n* ISP databases:\n    * `autonomous_system_number`\n    * `autonomous_system_organization`\n    * `isp`\n    * `organization`\n    * `network`\n\n* City databases:\n    * `city_name`\n    * `continent_code`\n    * `country_code`\n    * `country_name`\n    * `region_code`\n    * `region_name`\n    * `metro_code`\n    * `latitude`\n    * `longitude`\n    * `postal_code`\n    * `timezone`\n    * `network`\n\n* Connection-Type databases:\n    * `connection_type`\n    * `network`\n\n* Anonymous-IP databases:\n    * `is_anonymous`\n    * `is_anonymous_vpn`\n    * `is_hosting_provider`\n    * `is_public_proxy`\n    * `is_residential_proxy`\n    * `is_tor_exit_node`\n    * `network`\n\nTo use this function, you need to update your configuration to\ninclude an\n[`enrichment_tables`](/docs/reference/configuration/global-options/#enrichment_tables)\nparameter.",
   "arguments": [
     {
       "name": "table",

lib/vector-vrl/enrichment/src/lib.rs

@@ -185,6 +185,7 @@ pub(crate) const ENRICHMENT_TABLE_EXPLAINER: &str = indoc! {r#"
         * `autonomous_system_organization`
         * `isp`
         * `organization`
+        * `network`
 
     * City databases:
         * `city_name`
@@ -198,9 +199,20 @@ pub(crate) const ENRICHMENT_TABLE_EXPLAINER: &str = indoc! {r#"
         * `longitude`
         * `postal_code`
         * `timezone`
+        * `network`
 
     * Connection-Type databases:
         * `connection_type`
+        * `network`
+
+    * Anonymous-IP databases:
+        * `is_anonymous`
+        * `is_anonymous_vpn`
+        * `is_hosting_provider`
+        * `is_public_proxy`
+        * `is_residential_proxy`
+        * `is_tor_exit_node`
+        * `network`
 
     To use this function, you need to update your configuration to
     include an

src/enrichment_tables/geoip.rs

@@ -118,9 +118,15 @@ pub struct Geoip {
 fn lookup_value<'de, A: Deserialize<'de>>(
     dbreader: &'de Reader<Vec<u8>>,
     address: IpAddr,
-) -> crate::Result<Option<A>> {
+) -> crate::Result<Option<(A, String)>> {
     let result = dbreader.lookup(address)?;
-    Ok(result.decode::<A>()?)
+    match result.decode::<A>()? {
+        Some(data) => {
+            let network = result.network()?.to_string();
+            Ok(Some((data, network)))
+        }
+        None => Ok(None),
+    }
 }
 
 impl Geoip {
@@ -174,7 +180,7 @@ impl Geoip {
 
         match self.dbkind {
             DatabaseKind::Asn | DatabaseKind::Isp => {
-                let data = lookup_value::<Isp>(&self.dbreader, ip).ok()??;
+                let (data, network) = lookup_value::<Isp>(&self.dbreader, ip).ok()??;
 
                 add_field!("autonomous_system_number", data.autonomous_system_number);
                 add_field!(
@@ -183,9 +189,11 @@ impl Geoip {
                 );
                 add_field!("isp", data.isp);
                 add_field!("organization", data.organization);
+                add_field!("network", Some(network));
             }
             DatabaseKind::City => {
-                let data: City = lookup_value::<City>(&self.dbreader, ip).ok()??;
+                let (data, network): (City, String) =
+                    lookup_value::<City>(&self.dbreader, ip).ok()??;
 
                 add_field!("city_name", self.take_translation(&data.city.names));
 
@@ -223,21 +231,24 @@ impl Geoip {
                     subdivision.and_then(|subdivision| subdivision.iso_code)
                 );
                 add_field!("postal_code", data.postal.code);
+                add_field!("network", Some(network));
             }
             DatabaseKind::ConnectionType => {
-                let data = lookup_value::<ConnectionType>(&self.dbreader, ip).ok()??;
+                let (data, network) = lookup_value::<ConnectionType>(&self.dbreader, ip).ok()??;
 
                 add_field!("connection_type", data.connection_type);
+                add_field!("network", Some(network));
             }
             DatabaseKind::AnonymousIp => {
-                let data = lookup_value::<AnonymousIp>(&self.dbreader, ip).ok()??;
+                let (data, network) = lookup_value::<AnonymousIp>(&self.dbreader, ip).ok()??;
 
                 add_field!("is_anonymous", data.is_anonymous);
                 add_field!("is_anonymous_vpn", data.is_anonymous_vpn);
                 add_field!("is_hosting_provider", data.is_hosting_provider);
                 add_field!("is_public_proxy", data.is_public_proxy);
                 add_field!("is_residential_proxy", data.is_residential_proxy);
                 add_field!("is_tor_exit_node", data.is_tor_exit_node);
+                add_field!("network", Some(network));
             }
         }
 
@@ -367,6 +378,7 @@ mod tests {
         expected.insert("longitude".into(), Value::from(-1.25));
         expected.insert("postal_code".into(), "OX1".into());
         expected.insert("metro_code".into(), Value::Null);
+        expected.insert("network".into(), "2.125.160.216/29".into());
 
         assert_eq!(values, expected);
     }
@@ -403,6 +415,7 @@ mod tests {
         expected.insert("longitude".into(), Value::from(90.5));
         expected.insert("postal_code".into(), Value::Null);
         expected.insert("metro_code".into(), Value::Null);
+        expected.insert("network".into(), "67.43.156.0/24".into());
 
         assert_eq!(values, expected);
     }
@@ -426,6 +439,7 @@ mod tests {
         );
         expected.insert("isp".into(), "Verizon Business".into());
         expected.insert("organization".into(), "Verizon Business".into());
+        expected.insert("network".into(), "208.192.0.0/10".into());
 
         assert_eq!(values, expected);
     }
@@ -442,6 +456,7 @@ mod tests {
         );
         expected.insert("isp".into(), Value::Null);
         expected.insert("organization".into(), Value::Null);
+        expected.insert("network".into(), "2600:7000::/24".into());
 
         assert_eq!(values, expected);
     }
@@ -463,6 +478,7 @@ mod tests {
 
         let mut expected = ObjectMap::new();
         expected.insert("connection_type".into(), "Corporate".into());
+        expected.insert("network".into(), "201.243.200.0/24".into());
 
         assert_eq!(values, expected);
     }
@@ -494,6 +510,7 @@ mod tests {
         expected.insert("is_tor_exit_node".into(), true.into());
         expected.insert("is_public_proxy".into(), Value::Null);
         expected.insert("is_residential_proxy".into(), Value::Null);
+        expected.insert("network".into(), "101.99.92.179/32".into());
 
         assert_eq!(values, expected);
     }