Hello,
I am working on parsing manually imported office 365 audit logs for times when exporting a CSV manually (versus configuring the ELK integration) is necessarry.
There is one column of the CSV called AuditData that is JSON and sometimes includes a child called ModifiedProperties.
90% of the time the rows are indexed properly but in each CSV this field has a handful of items that don't parse, and I can't seem to figure out why.
I've tried a lot of different things and I'm just not sure what the issue here is.
input {
file {
path => "E:/CUSTOM_LOG_INPUT/O365_AUDITLOGS_CSV/*.csv"
start_position => "beginning"
sincedb_path => "NULL"
}
}
filter {
csv {
separator => ","
columns => [ "RecordId","CreationDate","RecordType","Operation","UserId","AuditData","AssociatedAdminUnits","AssociatedAdminUnitsNames" ]
skip_header => "true"
skip_empty_columns => "true"
}
date {
match => [ "CreationDate" , "ISO8601", "yyyy-MM-dd'T'HH:mm:ss.SSSSSSS'Z' "]
target => "@timestamp"
}
json {
source => "AuditData"
target => "AuditData"
}
geoip {
source => "[AuditData][ClientIPAddress]"
target => "GeoIP"
default_database_type => "City"
tag_on_failure => ["geoip-city-failed"]
}
geoip {
source => "[AuditData][ClientIPAddress]"
target => "GeoIP"
default_database_type => "ASN"
tag_on_failure => ["geoip-city-failed"]
}
}
#Index Template using Component Template for Mappings
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"include": {
"_tier_preference": "data_content"
}
}
}
}
},
"mappings": {
"dynamic_templates": [],
"properties": {
"AssociatedAdminUnits": {
"type": "keyword",
"ignore_above": 1024
},
"AssociatedAdminUnitsNames": {
"type": "keyword",
"ignore_above": 1024
},
"AuditData": {
"type": "object",
"dynamic": "true"
},
"CreationDate": {
"type": "keyword",
"ignore_above": 1024
},
"Operation": {
"type": "keyword",
"ignore_above": 1024
},
"RecordId": {
"type": "keyword",
"ignore_above": 1024
},
"UserId": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"aliases": {}
}
}
#Index Mappings after I ingest data_content{
"mappings": {
"dynamic_templates": [],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AssociatedAdminUnits": {
"type": "keyword",
"ignore_above": 1024
},
"AssociatedAdminUnitsNames": {
"type": "keyword",
"ignore_above": 1024
},
"AuditData": {
"dynamic": "true",
"properties": {
"Actor": {
"properties": {
"ID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Type": {
"type": "long"
}
}
},
"ActorContextId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ActorIpAddress": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AffectedItems": {
"properties": {
"Attachments": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"InternetMessageId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ParentFolder": {
"properties": {
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"Subject": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"AppAccessContext": {
"properties": {
"AADSessionId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientAppId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientAppName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CorrelationId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UniqueTokenId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"AppId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ApplicationDisplayName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ApplicationId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AuthenticationType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"AzureActiveDirectoryEventType": {
"type": "long"
},
"BrowserName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"BrowserVersion": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientAppId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientIP": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientIPAddress": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientInfoString": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ClientRequestId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CorrelationId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"CreationTime": {
"type": "date"
},
"CrossMailboxOperation": {
"type": "boolean"
},
"DestFolder": {
"properties": {
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"DeviceDisplayName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"DeviceProperties": {
"properties": {
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Value": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ErrorNumber": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"EventSource": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ExtendedProperties": {
"properties": {
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Value": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ExternalAccess": {
"type": "boolean"
},
"Folder": {
"properties": {
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"Folders": {
"properties": {
"FolderItems": {
"properties": {
"ClientRequestId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"InternetMessageId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SizeInBytes": {
"type": "long"
}
}
},
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"HighPriorityMediaProcessing": {
"type": "boolean"
},
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"InterSystemsId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"InternalLogonType": {
"type": "long"
},
"IntraSystemId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"IsManagedDevice": {
"type": "boolean"
},
"Item": {
"properties": {
"Attachments": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"InternetMessageId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"IsRecord": {
"type": "boolean"
},
"ParentFolder": {
"properties": {
"Id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"SizeInBytes": {
"type": "long"
},
"Subject": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ItemType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ListBaseType": {
"type": "long"
},
"ListId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ListItemUniqueId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ListServerTemplate": {
"type": "long"
},
"LogonError": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"LogonType": {
"type": "long"
},
"LogonUserSid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MailboxGuid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MailboxOwnerSid": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"MailboxOwnerUPN": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ModifiedProperties": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"ObjectId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Operation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"OperationCount": {
"type": "long"
},
"OperationProperties": {
"properties": {
"Name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Value": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"OrganizationId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"OrganizationName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"OriginatingServer": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Platform": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"RecordType": {
"type": "long"
},
"ResultStatus": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SaveToSentItems": {
"type": "boolean"
},
"SessionId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Site": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SiteUrl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceFileExtension": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceFileName": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SourceRelativeUrl": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"SupportTicketId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Target": {
"properties": {
"ID": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Type": {
"type": "long"
}
}
},
"TargetContextId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserAgent": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserKey": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserType": {
"type": "long"
},
"Version": {
"type": "long"
},
"WebId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"Workload": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"CreationDate": {
"type": "keyword",
"ignore_above": 1024
},
"GeoIP": {
"properties": {
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"geo": {
"properties": {
"city_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"continent_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_iso_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"country_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"location": {
"properties": {
"lat": {
"type": "float"
},
"lon": {
"type": "float"
}
}
},
"postal_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"region_iso_code": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"region_name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timezone": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"ip": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"mmdb": {
"properties": {
"dma_code": {
"type": "long"
}
}
}
}
},
"Operation": {
"type": "keyword",
"ignore_above": 1024
},
"RecordId": {
"type": "keyword",
"ignore_above": 1024
},
"RecordType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"UserId": {
"type": "keyword",
"ignore_above": 1024
},
"event": {
"properties": {
"original": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"host": {
"properties": {
"name": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"log": {
"properties": {
"file": {
"properties": {
"path": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
}
\"\"ModifiedProperties\"\":[{\"\"Name\"\":\"\"Included Updated Properties\"\",\"\"NewValue\"\":\"\"\"\",\"\"OldValue\"\":\"\"\"\"},{\"\"Name\"\":\"\"TargetId.UserType\"\",\"\"NewValue\"\":\"\"Member\"\",\"\"OldValue\"\":\"\"\"\"}]
:response=>{
"index"=>{
"status"=>400,
"error"=>{
"type"=>"document_parsing_exception",
"reason"=>"[1:5135] failed to parse field [AuditData.ModifiedProperties] of type [text] in document with id 'sM8H7pEBKErufQIJNuBc'. Preview of field's value: '{OldValue=, NewValue=, Name=Included Updated Properties}'",
"caused_by"=>{
"type"=>"illegal_state_exception",
"reason"=>"Can't get text on a START_OBJECT at 1:5070"
}
}
}
}
\"\"ModifiedProperties\"\":[{\"\"Name\"\":\"\"StrongAuthenticationMethod\"\",\"\"NewValue\"\":\"\"[\\r\\n {\\r\\n \\\"\"MethodType\\\"\": 0,\\r\\n \\\"\"Default\\\"\": false\\r\\n },\\r\\n {\\r\\n \\\"\"MethodType\\\"\": 5,\\r\\n \\\"\"Default\\\"\": true\\r\\n }\\r\\n]\"\",\"\"OldValue\"\":\"\"[]\"\"},{\"\"Name\"\":\"\"Included Updated Properties\"\",\"\"NewValue\"\":\"\"StrongAuthenticationMethod\"\",\"\"OldValue\"\":\"\"\"\"},{\"\"Name\"\":\"\"TargetId.UserType\"\",\"\"NewValue\"\":\"\"Member\"\",\"\"OldValue\"\":\"\"\"\"}],
:response=>{
"index"=>{
"status"=>400,
"error"=>{
"type"=>"document_parsing_exception",
"reason"=>"[1:5910] failed to parse field [AuditData.ModifiedProperties] of type [text] in document with id 'yNAH7pEBKErufQIJTAXu'. Preview of field's value: '{OldValue=[], NewValue=[\r\n {\r\n \"MethodType\": 0,\r\n \"Default\": false\r\n },\r\n {\r\n \"MethodType\": 5,\r\n \"Default\": true\r\n }\r\n], Name=StrongAuthenticationMethod}'",
"caused_by"=>{
"type"=>"illegal_state_exception",
"reason"=>"Can't get text on a START_OBJECT at 1:5706"
}
}
}
}
\"\"ModifiedProperties\"\":[{\"\"Name\"\":\"\"StrongAuthenticationUserDetails\"\",\"\"NewValue\"\":\"\"[\\r\\n {\\r\\n \\\"\"PhoneNumber\\\"\": \\\"\"\\"\",\\r\\n \\\"\"AlternativePhoneNumber\\\"\": null,\\r\\n \\\"\"Email\\\"\": null,\\r\\n \\\"\"VoiceOnlyPhoneNumber\\\"\": null\\r\\n }\\r\\n]\"\",\"\"OldValue\"\":\"\"[\\r\\n {\\r\\n \\\"\"PhoneNumber\\\"\": null,\\r\\n \\\"\"AlternativePhoneNumber\\\"\": null,\\r\\n \\\"\"Email\\\"\": null,\\r\\n \\\"\"VoiceOnlyPhoneNumber\\\"\": null\\r\\n }\\r\\n]\"\"},{\"\"Name\"\":\"\"Included Updated Properties\"\",\"\"NewValue\"\":\"\"StrongAuthenticationUserDetails\"\",\"\"OldValue\"\":\"\"\"\"},{\"\"Name\"\":\"\"TargetId.UserType\"\",\"\"NewValue\"\":\"\"Member\"\",\"\"OldValue\"\":\"\"\"\"}]
:response=>{
"index"=>{
"status"=>400,
"error"=>{
"type"=>"document_parsing_exception",
"reason"=>"[1:6572] failed to parse field [AuditData.ModifiedProperties] of type [text] in document with id 'tNAH7pEBKErufQIJTAXu'. Preview of field's value: '{OldValue=[\r\n {\r\n \"PhoneNumber\": null,\r\n \"AlternativePhoneNumber\": null,\r\n \"Email\": null,\r\n \"VoiceOnlyPhoneNumber\": null\r\n }\r\n], NewValue=[\r\n {\r\n \"PhoneNumber\": \"+1 \",\r\n \"AlternativePhoneNumber\": null,\r\n \"Email\": null,\r\n \"VoiceOnlyPhoneNumber\": null\r\n }\r\n], Name=StrongAuthenticationUserDetails}'",
"caused_by"=>{
"type"=>"illegal_state_exception",
"reason"=>"Can't get text on a START_OBJECT at 1:6184"
}
}
}
}
\"\"ModifiedProperties\"\":[\"\"MapiEndTime\"\",\"\"MapiPREndDate\"\",\"\"TimeZone\"\",\"\"TimeZoneBlob\"\",\"\"TimeZoneDefinitionStart\"\",\"\"TimeZoneDefinitionEnd\"\",\"\"MapiStartTime\"\",\"\"MapiPRStartDate\"\",\"\"MapiIsAllDayEvent\"\",\"\"TimeZoneDefinitionRecurring\"\",\"\"AppointmentRecurring\"\",\"\"AttendeeCriticalChangeTime\"\",\"\"Location\"\",\"\"SendRichInfo\"\",\"\"PartnerNetworkUserId\"\",\"\"PartnerNetworkId\"\",\"\"SentRepresentingDisplayName\"\",\"\"SentRepresentingEmailAddress\"\",\"\"SentRepresentingType\"\",\"\"SentRepresentingEntryId\"\",\"\"SentRepresentingSmtpAddress\"\",\"\"SipUri\"\",\"\"SentRepresentingSID\"\",\"\"SentRepresentingAADObjectId\"\",\"\"When\"\",\"\"BirthdayContactAttributionDisplayName\"\",\"\"BirthdayLocal\"\",\"\"ReceivedByName\"\",\"\"ReceivedByEmailAddress\"\",\"\"ReceivedByAddrType\"\",\"\"ReceivedByEntryId\"\",\"\"ReceivedBySmtpAddress\"\",\"\"AllAttachmentsHidden\"\",\"\"SenderDisplayName\"\",\"\"SenderEmailAddress\"\",\"\"SenderAddressType\"\",\"\"SenderEntryId\"\",\"\"SenderSmtpAddress\"\",\"\"SenderSID\"\",\"\"SenderAADObjectId\"\",\"\"SentTime\"\",\"\"HtmlBody\"\",\"\"RtfBody\"\",\"\"TextBody\"\",\"\"DisplayName\"\",\"\"CreationTime\"\",\"\"MapiSubject\"\",\"\"NormalizedSubjectInternal\"\",\"\"SubjectPrefixInternal\"\",\"\"ItemClass\"\",\"\"ReplyForwardStatus\"\",\"\"ReceivedTime\"\",\"\"RecipientCollection\"\"]}\",,\r"},
"RecordType"=>"2",
"host"=>{"name"=>"ELK01"}}],
:response=>{
"index"=>{
"status"=>400,
"error"=>{
"type"=>"document_parsing_exception",
"reason"=>"[1:4899] object mapping for [AuditData.ModifiedProperties] tried to parse field [null] as object, but found a concrete value"
}
}
}