Type Error: dns.id and dns.answers.ttl

[jamesagarside]

The current DNS pipeline doesnt convert dns.answers.ttl which is copied from the Corelight field TTLs to the correct type. It seems Corelight sends it as an array however the expected Elastic mapping is a long. https://www.elastic.co/guide/en/ecs/current/ecs-dns.html#field-dns-answers-ttl

dns.id is indexed as a keyword and therefore should be converted to a string.

[neu5ron]

arrays in elasticsearch have no impact on the type. so an array of integers set to a field with an integer type, is a valid integer type. an array of IPs set to a field with an ip type, is a valid ip type. and so on. since the mapping for dns.answers.ttl is already set then no explicit conversions are necessary.

converting to string before storing as keyword is also not necessary if the type is already defined. in this case dns.id is already set as keyword, so if sending 1 or "1" they both get treated and stored as a string.

let me know if this helps or not. thanks