I think there is an error in the way that Packetbeat (7.8) parses DNS logs, and/or the way that Kibana displays them.
If I have a host 22.214.171.124 that sends a dns request for microsoft.com to the DNS server 126.96.36.199, and packetbeat is running on 188.8.131.52 (hostname Sensor) with a span port that sees the DNS request.
When packetbeat parses the DNS packet, it populates the host.name ECS field with the name of the machine that is running the packetbeat instance. When this gets displayed by Kibana, the display processor uses the field host.name to populate the display such that it reads:
Sensor asked for microsoft.com with question type A blah blah blah and further on it displays source and destination, and these are correctly shown as 184.108.40.206 and 220.127.116.11 respectively.
What I would have expected is:
18.104.22.168 asked for microsoft.com with question type A
Is this an issue with Packetbeat not filling in the host.name field correctly, or Kibana not visualising the request properly.