I noticed this problem with beats that produce event.start and event.end which are time.Time values. The same thing happens with Filebeat's netflow input which also produces these fields.
See how event.start and event.end are {}.
$ ./packetbeat -c packetbeat.queue.yml -I tests/system/pcaps/dns_google_com.pcap
{
"@timestamp": "2019-01-16T04:53:31.637Z",
"@metadata": {
"beat": "packetbeat",
"type": "_doc",
"version": "7.0.0"
},
"event": {
"start": {},
"end": {},
"dataset": "dns",
"duration": 66221937
},
"type": "dns"
}
packetbeat.interfaces.device: any
packetbeat.shutdown_timeout: 2s
packetbeat.protocols:
- type: dns
ports: [53]
queue.spool.size: 10 MiB
output.console.pretty: true
processors:
- include_fields:
fields: eventIf spooling is disabled the problem goes away.
$ ./packetbeat -c packetbeat.queue.yml -I tests/system/pcaps/dns_google_com.pcap -E queue.spool.enabled=false
{
"@timestamp": "2019-01-16T04:56:33.861Z",
"@metadata": {
"beat": "packetbeat",
"type": "_doc",
"version": "7.0.0"
},
"event": {
"dataset": "dns",
"duration": 66212229,
"start": "2019-01-16T04:56:33.861Z",
"end": "2019-01-16T04:56:33.927Z"
},
"type": "dns"
}
I noticed this problem with beats that produce
event.startandevent.endwhich aretime.Timevalues. The same thing happens with Filebeat's netflow input which also produces these fields.See how
event.startandevent.endare{}.If spooling is disabled the problem goes away.