So, this is our use case:
We have a ingest proccess where we load around 1000 elements daily into an ES index. One of the fields of that index is the city name, but we would like to elaborate some maps with elements by city and we don't have geolocation of those cities.
Usually our data cities are going to be from a very limited collection BUT (and this is a big but) we can get from time to time new cities from totally unexpected places. So we don't need exactly an index with every city in the world and it's geolocation (as you can get from geonames) but we will surely have to check from time to time the geolocation of several cities.
Put this, my approach is the following: I'd like to add into our logstash ETL proccess a query that looks for the city in an ES index, if the city is there, it could get it's geolocation from this city index, if not, I want to query geonames API looking for the geolocation of the city, and store it in our ES city index. This way we'll only have to query the API from time to time with new cities, and once a city is ingested into our cities index we don't have to query for it again.
Is this a good approach for ELK? Or there is a better approach I'm not seeing? Keep in mind that I'm pretty newbie in ELK stack.