Slack: source.address field parsing fails with empty string #14821
Description
Integration Name
Slack Logs [slack]
Dataset Name
slack.audit
Integration Version
1.25.0
Agent Version
8.18.1
Agent Output Type
logstash
Elasticsearch Version
8.18.1
OS Version and Architecture
ECH
Software/API Version
No response
Error Message
Processor 'convert' with tag '' failed with message ''' is not an IP string literal.'
Event Original
"actor":{
"type":"user",
"user":{
"email":"",
"id":"[redacted]",
"name":"[redacted]",
"team":"[redacted]"
}
},
"context":{
"ip_address":"",
"location":{
"domain":"[redacted]",
"id":"[redacted]",
"name":"[redacted]",
"type":"workspace"
},
"session_id":null,
"ua":""
},
"date_create":1751412368,
"details":{
"shared_with":{
"channel_id":"[redacted]"
},
"url_private":"[redacted],
"entity":{
"file":{
"filetype":"text/html",
"id":"[redacted]",
"name":"[redacted]",
"title":"[redacted]"
},
"type":"file"},
"id":"[redacted]"
}
What did you do?
OOTB, no changes, this began as soon as the integration was enabled
What did you see?
A pipeline error and data not being fully parsed correctly
What did you expect to see?
source.address error handling should properly identify not just null values but also (empty) values and potentially non-IP values.
Anything else?
I added the below processor just before the IP convert processor to remove the source.address field if it has an empty string.
{
"remove": {
"ignore_missing": true,
"field": "source.address",
"if": "ctx?.source?.address == \"\""
}
}