0

I recently started working with Packetbeat.

For my use-case, I only need some specific fields (to the point where if I could I would completely rewrite the mapping, but am leaving that as a last resort).

I tried removing some of the fields from the "dns.answers" array of objects, but what I did doesn't seem to have any effect:

    - include_fields:
        fields:
          - dns.question.name
          - dns.question.type
          - dns.answers
          - dns.answers_count
          - dns.resolved_ip
    - drop_fields:
        fields:
          - dns.answers.name

In addition, I also tried including only the fields I want but that didn't seem to work either, e.g:

- include_fields:
        fields:
          - dns.question.name
          - dns.question.type
          - dns.answers.data
          - dns.answers_count
          - dns.resolved_ip

Any ideas? If rewriting the template/mapping of the index is the best choice, or perhaps using the Ingest Node Pipelines is a better approach, I'd love to hear it.

Thanks

cakelover
  • 166
  • 1
  • 8
  • DNS answer probably already use by a `processor` so you cannot delete field which not already exists in the pipeline, they are filled with the `processor`, so you need to upgrade the `pipeline`/`processor` – ExploZe Aug 31 '21 at 13:32
  • Not too sure what you meant there. Could you elaborate? – cakelover Aug 31 '21 at 13:52
  • All informations about the DNS is based on the IP address which is sent to a `processor` https://www.elastic.co/guide/en/beats/packetbeat/current/processor-dns.html which populate the data about dns, so the field dns.answers.name do not exists at the time it's treated by packetbeat – ExploZe Aug 31 '21 at 14:12
  • I'm pretty sure that you are talking about a separate unrelated processor for Reverse DNS. What I'm talking about is when recording already existing DNS requests. – cakelover Aug 31 '21 at 15:16
  • what is the source or your Packebeat informations ? there is dns information provide with it are you sure ? – ExploZe Aug 31 '21 at 15:31
  • For sure. I use `dig` command and see the output in Elasticsearch – cakelover Aug 31 '21 at 18:18
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/236616/discussion-between-exploze-and-cakelover). – ExploZe Aug 31 '21 at 18:40

0 Answers0