Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Type Error: dns.id and dns.answers.ttl #76

Open
jamesagarside opened this issue Jan 4, 2024 · 1 comment
Open

Type Error: dns.id and dns.answers.ttl #76

jamesagarside opened this issue Jan 4, 2024 · 1 comment

Comments

@jamesagarside
Copy link

The current DNS pipeline doesnt convert dns.answers.ttl which is copied from the Corelight field TTLs to the correct type. It seems Corelight sends it as an array however the expected Elastic mapping is a long. https://www.elastic.co/guide/en/ecs/current/ecs-dns.html#field-dns-answers-ttl

dns.id is indexed as a keyword and therefore should be converted to a string.
@neu5ron
Copy link
Collaborator

neu5ron commented Jan 16, 2024

arrays in elasticsearch have no impact on the type. so an array of integers set to a field with an integer type, is a valid integer type. an array of IPs set to a field with an ip type, is a valid ip type. and so on. since the mapping for dns.answers.ttl is already set then no explicit conversions are necessary.

converting to string before storing as keyword is also not necessary if the type is already defined. in this case dns.id is already set as keyword, so if sending 1 or "1" they both get treated and stored as a string.

let me know if this helps or not. thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neu5ron @jamesagarside