elastic · kaiyan-sheng · Nov 30, 2020 · Nov 23, 2020 · Nov 23, 2020 · Nov 26, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -332,6 +332,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Fix handing missing eventtime and assignip field being set to N/A for fortinet module. {pull}22361[22361]
 - Fix Zeek dashboard reference to `zeek.ssl.server.name` field. {pull}21696[21696]
 - Fix for `field [source] not present as part of path [source.ip]` error in azure pipelines. {pull}22377[22377]
+- Drop aws.vpcflow.pkt_srcaddr and aws.vpcflow.pkt_dstaddr when equal to "-". {pull}22721[22721] {issue}22716[22716]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml
@@ -129,6 +129,14 @@ processors:
   - drop_fields:
       fields: ["aws.vpcflow.srcaddr", "aws.vpcflow.srcport", "aws.vpcflow.dstaddr", "aws.vpcflow.dstport", "aws.vpcflow.bytes", "aws.vpcflow.packets", "aws.vpcflow.protocol"]
 
+  - drop_fields:
+      when.equals.aws.vpcflow.pkt_srcaddr: "-"
+      fields: ["aws.vpcflow.pkt_srcaddr"]
+
+  - drop_fields:
+      when.equals.aws.vpcflow.pkt_dstaddr: "-"
+      fields: [ "aws.vpcflow.pkt_dstaddr" ]
+
   - community_id: ~
 
   # Use the aws.vpcflow.action value to set the event.outcome value to either "allow" or "deny".

diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence-skip-data.log b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence-skip-data.log
@@ -0,0 +1,5 @@
+version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA
+
+version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status
+3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA
diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence-skip-data.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence-skip-data.log-expected.json
@@ -0,0 +1,64 @@
+[
+    {
+        "@timestamp": "2019-08-26T19:48:53.000Z",
+        "aws.vpcflow.account_id": "123456789010",
+        "aws.vpcflow.action": "-",
+        "aws.vpcflow.instance_id": "i-01234567890123456",
+        "aws.vpcflow.interface_id": "eni-1235b8ca123456789",
+        "aws.vpcflow.log_status": "SKIPDATA",
+        "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678",
+        "aws.vpcflow.tcp_flags": "-",
+        "aws.vpcflow.type": "-",
+        "aws.vpcflow.version": "3",
+        "aws.vpcflow.vpc_id": "vpc-abcdefab012345678",
+        "cloud.account.id": "123456789010",
+        "cloud.instance.id": "i-01234567890123456",
+        "cloud.provider": "aws",
+        "event.category": "network_traffic",
+        "event.dataset": "aws.vpcflow",
+        "event.end": "2019-08-26T19:48:53.000Z",
+        "event.kind": "event",
+        "event.module": "aws",
+        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - SKIPDATA",
+        "event.start": "2019-08-26T19:47:55.000Z",
+        "event.type": "flow",
+        "fileset.name": "vpcflow",
+        "input.type": "log",
+        "log.offset": 183,
+        "service.type": "aws",
+        "tags": [
+            "forwarded"
+        ]
+    },
+    {
+        "@timestamp": "2019-08-26T19:48:53.000Z",
+        "aws.vpcflow.account_id": "123456789010",
+        "aws.vpcflow.action": "-",
+        "aws.vpcflow.instance_id": "i-01234567890123456",
+        "aws.vpcflow.interface_id": "eni-1235b8ca123456789",
+        "aws.vpcflow.log_status": "NODATA",
+        "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678",
+        "aws.vpcflow.tcp_flags": "-",
+        "aws.vpcflow.type": "-",
+        "aws.vpcflow.version": "3",
+        "aws.vpcflow.vpc_id": "vpc-abcdefab012345678",
+        "cloud.account.id": "123456789010",
+        "cloud.instance.id": "i-01234567890123456",
+        "cloud.provider": "aws",
+        "event.category": "network_traffic",
+        "event.dataset": "aws.vpcflow",
+        "event.end": "2019-08-26T19:48:53.000Z",
+        "event.kind": "event",
+        "event.module": "aws",
+        "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 - - - - - - - - - - 1566848875 1566848933 - - NODATA",
+        "event.start": "2019-08-26T19:47:55.000Z",
+        "event.type": "flow",
+        "fileset.name": "vpcflow",
+        "input.type": "log",
+        "log.offset": 526,
+        "service.type": "aws",
+        "tags": [
+            "forwarded"
+        ]
+    }
+]