Deduplication in tshark -T ek

asked 2017-11-22 21:10:48 +0000

chris_toph

Hi folks,

I'm trying to import a network dump, which I created via tshark -i en1 -T ek > packets.json to elasticsearch.

Using the bulk importer of ElasticSarch, the import fails, because there are duplicate names of the fields. I think, since version 6.0 elasticsearch is more strictly when it comes to checking for duplicates.

So, my question is, why there are some duplicate names for fields, like ip_ip_addr or ip_text. In my understanding they should have unique names, so that you can import those data into ElasticSearch.

Thank you for your help and BR Christoph

1 Answer

answered 2017-11-22 21:43:34 +0000

Uli

There was a bug report for this issue.

It is fixed with current master version (2.5.X).

