There are situations with DNS packets, that Packetbeat includes null IP fields in the documents, causing mapping errors when ingesting in Elasticsearch.
This has been reported with events that contain the message Another query with the same DNS ID from this client was received so this query was closed without receiving a response.
In this case it seems that Packetbeat is including a resolved_ip field with a list with a single nil value ("resolved_ip": [ "<nil>" ]), and also a <nil> value in the related.ip field.
This causes errors like failed to parse field [dns.resolved_ip] of type [ip] in document with id 'EcpU5XQBHte-Y-A36w7t'. Preview of field's value: '<nil>'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'<nil>' is not an IP string literal.
There are situations with DNS packets, that Packetbeat includes null IP fields in the documents, causing mapping errors when ingesting in Elasticsearch.
This has been reported with events that contain the message
Another query with the same DNS ID from this client was received so this query was closed without receiving a response.In this case it seems that Packetbeat is including a
resolved_ipfield with a list with a single nil value ("resolved_ip": [ "<nil>" ]), and also a<nil>value in therelated.ipfield.This causes errors like
failed to parse field [dns.resolved_ip] of type [ip] in document with id 'EcpU5XQBHte-Y-A36w7t'. Preview of field's value: '<nil>'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'<nil>' is not an IP string literal.