Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug][ECS 1.7] Missing dns.answers fields in experimental schema #1116

Open
andrewstucki opened this issue Nov 12, 2020 · 4 comments
Open

[Bug][ECS 1.7] Missing dns.answers fields in experimental schema #1116

andrewstucki opened this issue Nov 12, 2020 · 4 comments
Assignees
Labels
bug Something isn't working ready Issues we'd like to address in the future.

Comments

@andrewstucki
Copy link
Contributor

Description of the issue:

Compare

fields:
- name: answers.class

With

fields:
- name: answers

The first is for the experimental fields, the second is for the standard fields. Looks like the experimental (accidentally?) drops dns.answers -- not sure if there are any other fields like this -- but this one was caught by packetbeat integration tests.

@andrewstucki andrewstucki added bug Something isn't working 1.7.0 labels Nov 12, 2020
@ebeahan ebeahan self-assigned this Nov 12, 2020
@ebeahan
Copy link
Member

ebeahan commented Nov 12, 2020

The dns.answer object contains intermediate: True when the dns.answer.data object is loaded and the deeply nested structure is generated. When working properly, it sets intermediate: False. I'm still assessing the best way to handle this case in the code.

This isn't unique to the experimental schema. Any custom definitions modifying dns.answers.* will reproduce this behavior.

A workaround is to define answer with type object in the experimental definitions:

---
- name: dns
  fields:
    - name: question.name
      type: wildcard
    - name: answers
      type: object
    - name: answers.data
      type: wildcard

@webmat
Copy link
Contributor

webmat commented Nov 12, 2020

I'd be fine if we did that as a temporary fix for the release. We can keep this issue opened to fix fully later, without the rush :-)

@ebeahan
Copy link
Member

ebeahan commented Nov 16, 2020

Temporary workaround added in #1118

@ebeahan ebeahan added the ready Issues we'd like to address in the future. label Nov 17, 2020
@ebeahan ebeahan removed the 1.7.0 label Apr 14, 2021
@djptek
Copy link
Contributor

djptek commented Apr 14, 2021

@ebeahan working on this

@djptek djptek self-assigned this Apr 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working ready Issues we'd like to address in the future.
Projects
None yet
Development

No branches or pull requests

4 participants