I am trying to get the hostname of a given IP in a field (source.ip), I am doing this for an agent deployed within a system integration, I have defined some processors in the "processors" field some drop_event.
But when I add the dns processor, the agent keeps updating in the log section and stops receiving events. But if I remove this, everything works again.
It is a bit tricky to help debug if we are not seeing a specific error when the pipeline is not working. Would it be possible for you to test the pipeline with example input and report back what error you are seeing.
I am doing this using system integration, not Windows.
There is a strange behavior, because if I do the configuration that is in the screenshot, the agent stops logging, I need to specify the "nameservers" configuration and it starts working again, but it does not do any reverse function.
I finally found the solution, all about adding fields and so it worked, nothing weird in the logging system so I started checking the index pipes, the final document fields are "post processors" fields. So the source.ip field doesn't work in this step.
If you put only the basic DNS settings, the agent stops logging in as I said, I added the nameservers to the config lines (everything started working again) and then I checked the "original fields", I mean the system in my case from the manifest of the package that I send.
So maybe I'll add this to the troubleshooting guide, the tag_on_failure function doesn't tag a wrong value from a wrong field. And if you don't specify the nameservers on the system against a Windows server that doesn't work, there is a "On Windows, you must always provide at least one nameserver" in the documentation. But I'll specify something like "windows event log" (just an idea).
Another thing that could be great is to attach the manifest to the documentation or specify that those fields are the fields that will work in the "pre-ingest pipelines" step.