From c307a2c06dc9a831e13f5e8840dafd9d4eba744e Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Fri, 31 May 2024 10:36:56 +0100
Subject: [PATCH 01/23] base intergation

---
 packages/endace/LICENSE.txt                   |   93 +
 packages/endace/_dev/build/build.yml          |    4 +
 packages/endace/_dev/build/docs/README.md     |  171 +
 .../_dev/deploy/docker/docker-compose.yml     |   13 +
 .../docker/pcaps/amqp_channel_error.pcap      |  Bin 0 -> 2164 bytes
 .../docker/pcaps/amqp_emit_receive.pcap       |  Bin 0 -> 5317 bytes
 .../deploy/docker/pcaps/amqp_publish.pcap     |  Bin 0 -> 2406 bytes
 .../docker/pcaps/cassandra_create_index.pcap  |  Bin 0 -> 3771 bytes
 .../pcaps/cassandra_create_keyspace.pcap      |  Bin 0 -> 1314 bytes
 .../docker/pcaps/cassandra_create_table.pcap  |  Bin 0 -> 3735 bytes
 .../deploy/docker/pcaps/cassandra_insert.pcap |  Bin 0 -> 287 bytes
 .../docker/pcaps/cassandra_mixed_frame.pcap   |  Bin 0 -> 114224 bytes
 .../deploy/docker/pcaps/cassandra_select.pcap |  Bin 0 -> 316 bytes
 .../pcaps/cassandra_select_via_index.pcap     |  Bin 0 -> 338 bytes
 .../docker/pcaps/cassandra_trace_err.pcap     |  Bin 0 -> 285 bytes
 .../endace/_dev/deploy/docker/pcaps/dhcp.pcap |  Bin 0 -> 1400 bytes
 .../deploy/docker/pcaps/dns_additional.pcap   |  Bin 0 -> 350 bytes
 .../deploy/docker/pcaps/dns_google_com.pcap   |  Bin 0 -> 452 bytes
 .../_dev/deploy/docker/pcaps/dns_mx.pcap      |  Bin 0 -> 532 bytes
 .../deploy/docker/pcaps/dns_not_found.pcap    |  Bin 0 -> 297 bytes
 .../_dev/deploy/docker/pcaps/dns_ns.pcap      |  Bin 0 -> 1479 bytes
 .../deploy/docker/pcaps/dns_tcp_axfr.pcap     |  Bin 0 -> 915 bytes
 .../_dev/deploy/docker/pcaps/dns_txt.pcap     |  Bin 0 -> 757 bytes
 .../deploy/docker/pcaps/dns_udp_edns_ds.pcap  |  Bin 0 -> 461 bytes
 .../pcaps/http_10_connection_close.pcap       |  Bin 0 -> 23972 bytes
 .../deploy/docker/pcaps/http_basicauth.pcap   |  Bin 0 -> 5156 bytes
 .../deploy/docker/pcaps/http_get_2k_file.pcap |  Bin 0 -> 4821 bytes
 .../deploy/docker/pcaps/http_minitwit.pcap    |  Bin 0 -> 17512 bytes
 .../deploy/docker/pcaps/http_over_vlan.pcap   |  Bin 0 -> 1946 bytes
 .../_dev/deploy/docker/pcaps/http_post.pcap   |  Bin 0 -> 9999 bytes
 .../deploy/docker/pcaps/http_post_json.pcap   |  Bin 0 -> 11211 bytes
 .../_dev/deploy/docker/pcaps/http_realip.pcap |  Bin 0 -> 32074 bytes
 .../deploy/docker/pcaps/http_url_params.pcap  |  Bin 0 -> 9925 bytes
 .../docker/pcaps/http_x_forwarded_for.pcap    |  Bin 0 -> 1530 bytes
 .../_dev/deploy/docker/pcaps/icmp4_ping.pcap  |  Bin 0 -> 148 bytes
 .../docker/pcaps/icmp4_ping_over_vlan.pcap    |  Bin 0 -> 156 bytes
 .../_dev/deploy/docker/pcaps/icmp6_ping.pcap  |  Bin 0 -> 188 bytes
 .../docker/pcaps/icmp6_ping_over_vlan.pcap    |  Bin 0 -> 196 bytes
 .../deploy/docker/pcaps/icmp_2_pings.pcap     |  Bin 0 -> 272 bytes
 .../pcaps/memcache_bin_tcp_counter_ops.pcap   |  Bin 0 -> 2149 bytes
 .../docker/pcaps/memcache_bin_tcp_delete.pcap |  Bin 0 -> 1793 bytes
 .../memcache_bin_tcp_multi_store_load.pcap    |  Bin 0 -> 2912 bytes
 .../memcache_bin_tcp_single_load_store.pcap   |  Bin 0 -> 5780 bytes
 .../docker/pcaps/memcache_bin_tcp_stats.pcap  |  Bin 0 -> 3942 bytes
 .../pcaps/memcache_bin_udp_counter_ops.pcap   |  Bin 0 -> 352 bytes
 .../docker/pcaps/memcache_bin_udp_delete.pcap |  Bin 0 -> 221 bytes
 .../pcaps/memcache_bin_udp_multi_store.pcap   |  Bin 0 -> 454 bytes
 .../pcaps/memcache_bin_udp_single_store.pcap  |  Bin 0 -> 1154 bytes
 .../pcaps/memcache_text_tcp_counter_ops.pcap  |  Bin 0 -> 1778 bytes
 .../pcaps/memcache_text_tcp_delete.pcap       |  Bin 0 -> 1507 bytes
 .../memcache_text_tcp_multi_store_load.pcap   |  Bin 0 -> 2101 bytes
 .../memcache_text_tcp_single_load_store.pcap  |  Bin 0 -> 5695 bytes
 .../docker/pcaps/memcache_text_tcp_stats.pcap |  Bin 0 -> 2668 bytes
 .../pcaps/memcache_text_udp_counter_ops.pcap  |  Bin 0 -> 288 bytes
 .../pcaps/memcache_text_udp_delete.pcap       |  Bin 0 -> 204 bytes
 .../pcaps/memcache_text_udp_multi_store.pcap  |  Bin 0 -> 428 bytes
 .../pcaps/memcache_text_udp_single_store.pcap |  Bin 0 -> 1147 bytes
 .../docker/pcaps/mongo_3.0_session.pcap       |  Bin 0 -> 12090 bytes
 .../deploy/docker/pcaps/mongo_one_row.pcap    |  Bin 0 -> 752 bytes
 .../pcaps/mongodb_create_collection.pcap      |  Bin 0 -> 1760 bytes
 .../deploy/docker/pcaps/mongodb_find.pcap     |  Bin 0 -> 944 bytes
 .../pcaps/mongodb_insert_duplicate_key.pcap   |  Bin 0 -> 1767 bytes
 .../deploy/docker/pcaps/mongodb_inserts.pcap  |  Bin 0 -> 2376 bytes
 .../docker/pcaps/mongodb_more_rows.pcap       |  Bin 0 -> 46491 bytes
 .../pcaps/mongodb_reply_request_reply.pcap    |  Bin 0 -> 1281 bytes
 .../deploy/docker/pcaps/mongodb_use_db.pcap   |  Bin 0 -> 545 bytes
 .../docker/pcaps/mysql_affected_rows.pcap     |  Bin 0 -> 359 bytes
 .../deploy/docker/pcaps/mysql_connection.pcap |  Bin 0 -> 2021 bytes
 .../mysql_err_database_not_selected.pcap      |  Bin 0 -> 332 bytes
 .../_dev/deploy/docker/pcaps/mysql_long.pcap  |  Bin 0 -> 183149 bytes
 .../docker/pcaps/mysql_long_result.pcap       |  Bin 0 -> 3922 bytes
 .../pcaps/mysql_windows_lineending.pcap       |  Bin 0 -> 757 bytes
 .../docker/pcaps/mysql_with_whitespaces.pcap  |  Bin 0 -> 5398 bytes
 .../_dev/deploy/docker/pcaps/nfs4_close.pcap  |  Bin 0 -> 584 bytes
 .../_dev/deploy/docker/pcaps/nfs_v3.pcap      |  Bin 0 -> 426 bytes
 .../_dev/deploy/docker/pcaps/nfs_v4.pcap      |  Bin 0 -> 642 bytes
 .../deploy/docker/pcaps/nfsv42_clone.pcap     |  Bin 0 -> 580 bytes
 .../docker/pcaps/nfsv42_layoutstats.pcap      |  Bin 0 -> 744 bytes
 .../docker/pcaps/pgsql_extended_query.pcap    |  Bin 0 -> 1561 bytes
 .../deploy/docker/pcaps/pgsql_insert.pcap     |  Bin 0 -> 355 bytes
 .../docker/pcaps/pgsql_insert_error.pcap      |  Bin 0 -> 650 bytes
 .../docker/pcaps/pgsql_long_result.pcap       |  Bin 0 -> 3496 bytes
 .../docker/pcaps/pgsql_request_response.pcap  |  Bin 0 -> 503 bytes
 .../_dev/deploy/docker/pcaps/pgsql_rt.pcap    |  Bin 0 -> 3012 bytes
 .../docker/pcaps/redis_one_transaction.pcap   |  Bin 0 -> 233 bytes
 .../deploy/docker/pcaps/redis_session.pcap    |  Bin 0 -> 2303 bytes
 .../endace/_dev/deploy/docker/pcaps/sip.pcap  |  Bin 0 -> 6632 bytes
 .../pcaps/sip_authenticated_register.pcap     |  Bin 0 -> 1654 bytes
 .../docker/pcaps/thrift_integration.pcap      |  Bin 0 -> 21462 bytes
 .../deploy/docker/pcaps/thrift_tutorial.pcap  |  Bin 0 -> 6363 bytes
 .../deploy/docker/pcaps/tls-version-13.pcap   |  Bin 0 -> 14332 bytes
 .../docker/sample_logs/ipfix_cisco.pcap       |  Bin 0 -> 4358 bytes
 packages/endace/changelog.yml                 |   16 +
 .../system/test-http-get-2k-file-config.yml   |    6 +
 .../test/system/test-icmp-2-pings-config.yml  |    7 +
 .../test/system/test-icmp4-ping-config.yml    |    6 +
 .../test/system/test-icmp6-ping-config.yml    |    6 +
 .../flow/agent/stream/flow.yml.hbs            |   42 +
 .../ingest_pipeline/compatibility.yml         |   32 +
 .../elasticsearch/ingest_pipeline/default.yml |  101 +
 .../elasticsearch/ingest_pipeline/geoip.yml   |  103 +
 .../endace/data_stream/flow/fields/agent.yml  |  196 +
 .../endace/data_stream/flow/fields/base.yml   |   12 +
 .../endace/data_stream/flow/fields/beats.yml  |   95 +
 .../endace/data_stream/flow/fields/ecs.yml    |  144 +
 .../data_stream/flow/fields/protocol.yml      |   15 +
 .../data_stream/flow/fields/protocol_ecs.yml  |   23 +
 packages/endace/data_stream/flow/manifest.yml |   67 +
 .../endace/data_stream/flow/sample_event.json |   86 +
 .../pipeline/test-netflow-log-events.json     | 3373 ++++++++++++++++
 ...test-netflow-log-events.json-expected.json | 3587 +++++++++++++++++
 .../_dev/test/system/test-netflow-config.yml  |    9 +
 .../log/agent/stream/netflow.yml.hbs          |   37 +
 .../elasticsearch/ingest_pipeline/default.yml |  115 +
 .../endace/data_stream/log/fields/agent.yml   |   71 +
 .../data_stream/log/fields/base-fields.yml    |   17 +
 .../endace/data_stream/log/fields/ecs.yml     |  712 ++++
 .../data_stream/log/fields/package-fields.yml | 2689 ++++++++++++
 packages/endace/data_stream/log/manifest.yml  |   95 +
 .../endace/data_stream/log/sample_event.json  |  123 +
 packages/endace/docs/README.md                |  400 ++
 .../elasticsearch/ingest_pipeline/endace.yml  |   52 +
 packages/endace/img/endace-logo.svg           |   12 +
 packages/endace/img/endace-screenshot-1.png   |  Bin 0 -> 10982 bytes
 packages/endace/manifest.yml                  |  100 +
 packages/endace/validation.yml                |    5 +
 126 files changed, 12635 insertions(+)
 create mode 100644 packages/endace/LICENSE.txt
 create mode 100755 packages/endace/_dev/build/build.yml
 create mode 100644 packages/endace/_dev/build/docs/README.md
 create mode 100644 packages/endace/_dev/deploy/docker/docker-compose.yml
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/amqp_channel_error.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/amqp_emit_receive.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/amqp_publish.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_create_index.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_create_keyspace.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_create_table.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_insert.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_mixed_frame.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_select.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_select_via_index.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/cassandra_trace_err.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dhcp.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_additional.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_google_com.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_not_found.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_ns.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_tcp_axfr.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_txt.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/dns_udp_edns_ds.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_10_connection_close.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_basicauth.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_get_2k_file.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_minitwit.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_over_vlan.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_post.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_post_json.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_realip.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_url_params.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/http_x_forwarded_for.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/icmp4_ping.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/icmp4_ping_over_vlan.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/icmp6_ping.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/icmp6_ping_over_vlan.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/icmp_2_pings.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_counter_ops.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_delete.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_multi_store_load.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_single_load_store.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_stats.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_counter_ops.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_delete.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_multi_store.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_single_store.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_counter_ops.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_delete.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_multi_store_load.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_single_load_store.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_stats.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_counter_ops.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_delete.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_multi_store.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_single_store.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongo_3.0_session.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongo_one_row.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_create_collection.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_find.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_insert_duplicate_key.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_inserts.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_more_rows.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_reply_request_reply.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mongodb_use_db.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_affected_rows.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_connection.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_err_database_not_selected.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_long.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_long_result.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_windows_lineending.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/mysql_with_whitespaces.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/nfs4_close.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/nfsv42_clone.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/nfsv42_layoutstats.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/pgsql_extended_query.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/pgsql_insert.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/pgsql_insert_error.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/pgsql_long_result.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/pgsql_request_response.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/pgsql_rt.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/redis_one_transaction.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/redis_session.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/sip.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/sip_authenticated_register.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/thrift_integration.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/thrift_tutorial.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/pcaps/tls-version-13.pcap
 create mode 100644 packages/endace/_dev/deploy/docker/sample_logs/ipfix_cisco.pcap
 create mode 100644 packages/endace/changelog.yml
 create mode 100644 packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
 create mode 100644 packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
 create mode 100644 packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml
 create mode 100644 packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml
 create mode 100644 packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
 create mode 100644 packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml
 create mode 100644 packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
 create mode 100644 packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
 create mode 100644 packages/endace/data_stream/flow/fields/agent.yml
 create mode 100644 packages/endace/data_stream/flow/fields/base.yml
 create mode 100644 packages/endace/data_stream/flow/fields/beats.yml
 create mode 100644 packages/endace/data_stream/flow/fields/ecs.yml
 create mode 100644 packages/endace/data_stream/flow/fields/protocol.yml
 create mode 100644 packages/endace/data_stream/flow/fields/protocol_ecs.yml
 create mode 100644 packages/endace/data_stream/flow/manifest.yml
 create mode 100644 packages/endace/data_stream/flow/sample_event.json
 create mode 100644 packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
 create mode 100644 packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
 create mode 100644 packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
 create mode 100644 packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
 create mode 100644 packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
 create mode 100644 packages/endace/data_stream/log/fields/agent.yml
 create mode 100644 packages/endace/data_stream/log/fields/base-fields.yml
 create mode 100644 packages/endace/data_stream/log/fields/ecs.yml
 create mode 100644 packages/endace/data_stream/log/fields/package-fields.yml
 create mode 100644 packages/endace/data_stream/log/manifest.yml
 create mode 100644 packages/endace/data_stream/log/sample_event.json
 create mode 100644 packages/endace/docs/README.md
 create mode 100644 packages/endace/elasticsearch/ingest_pipeline/endace.yml
 create mode 100644 packages/endace/img/endace-logo.svg
 create mode 100644 packages/endace/img/endace-screenshot-1.png
 create mode 100644 packages/endace/manifest.yml
 create mode 100644 packages/endace/validation.yml

diff --git a/packages/endace/LICENSE.txt b/packages/endace/LICENSE.txt
new file mode 100644
index 00000000000..809108b857f
--- /dev/null
+++ b/packages/endace/LICENSE.txt
@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
diff --git a/packages/endace/_dev/build/build.yml b/packages/endace/_dev/build/build.yml
new file mode 100755
index 00000000000..71f48ba2a9c
--- /dev/null
+++ b/packages/endace/_dev/build/build.yml
@@ -0,0 +1,4 @@
+dependencies:
+  ecs:
+    reference: "git@v8.11.0"
+    import_mappings: true
diff --git a/packages/endace/_dev/build/docs/README.md b/packages/endace/_dev/build/docs/README.md
new file mode 100644
index 00000000000..6bb259983a7
--- /dev/null
+++ b/packages/endace/_dev/build/docs/README.md
@@ -0,0 +1,171 @@
+# Network Packet Capture Integration
+
+This integration sniffs network packets on a host and dissects
+known protocols.
+
+Monitoring your network traffic is critical to gaining observability and
+securing your environment — ensuring high levels of performance and security.
+The Network Packet Capture integration captures the network traffic between
+your application servers, decodes common application layer protocols and
+records the interesting fields for each transaction.
+
+## Supported Protocols
+
+Currently, Network Packet Capture supports the following protocols:
+
+-   ICMP (v4 and v6)
+-   DHCP (v4)
+-   DNS
+-   HTTP
+-   AMQP 0.9.1
+-   Cassandra
+-   Mysql
+-   PostgreSQL
+-   Redis
+-   Thrift-RPC
+-   MongoDB
+-   Memcache
+-   NFS
+-   TLS
+-   SIP/SDP (beta)
+
+### Common protocol options
+
+The following options are available for all protocols:
+
+#### `map_to_ecs`
+
+Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
+This will rename fields that are moved so the fields will not be present
+at the root of the document and so any rules that depend on the fields
+will need to be updated.
+
+The legacy behaviour of this option is to not remap to ECS. This behaviour
+is still the default, but is deprecated and users are encouraged to set
+this option to true.
+
+ECS remapping may have an impact on workflows that depend on the identity
+of non-ECS fields, and users should assess their use of these fields before
+making the change. Users who need to retain data collected with the legacy
+mappings may need to re-index their older documents. Instructions for doing
+this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
+The pipeline used to perform ECS remapping for each data stream can be found
+in `Stack Management`›`Ingest Pipelines` and and searching for
+"logs-network_traffic compatibility".
+
+The deprecation and retirement timeline for legacy behavior is available
+[here](https://github.com/elastic/integrations/issues/8185).
+
+#### `enabled`
+
+The enabled setting is a boolean setting to enable or disable protocols
+without having to comment out configuration sections. If set to false,
+the protocol is disabled.
+
+The default value is true.
+
+#### `ports`
+
+Exception: For ICMP the option `enabled` has to be used instead.
+
+The ports where Network Packet Capture will look to capture traffic for specific
+protocols. Network Packet Capture installs a
+[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based
+on the ports specified in this section. If a packet doesn’t match the
+filter, very little CPU is required to discard the packet. Network Packet Capture
+also uses the ports specified here to determine which parser to use for
+each packet.
+
+#### `monitor_processes`
+
+If this option is enabled then network traffic events will be enriched
+with information about the process associated with the events.
+
+The default value is false.
+
+#### `send_request`
+
+If this option is enabled, the raw message of the request (`request`
+field) is sent to Elasticsearch. The default is false. This option is
+useful when you want to index the whole request. Note that for HTTP, the
+body is not included by default, only the HTTP headers.
+
+#### `send_response`
+
+If this option is enabled, the raw message of the response (`response`
+field) is sent to Elasticsearch. The default is false. This option is
+useful when you want to index the whole response. Note that for HTTP,
+the body is not included by default, only the HTTP headers.
+
+#### `transaction_timeout`
+
+The per protocol transaction timeout. Expired transactions will no
+longer be correlated to incoming responses, but sent to Elasticsearch
+immediately.
+
+#### `tags`
+
+A list of tags that will be sent with the transaction event. This
+setting is optional.
+
+#### `processors`
+
+A list of processors to apply to the data generated by the protocol.
+
+#### `keep_null`
+
+If this option is set to true, fields with `null` values will be
+published in the output document. By default, `keep_null` is set to
+`false`.
+
+
+## Network Flows
+
+Overall flow information about the network connections on a
+host.
+
+You can configure Network Packet Capture to collect and report statistics
+on network flows. A *flow* is a group of packets sent over the same time
+period that share common properties, such as the same source and destination
+address and protocol. You can use this feature to analyze network
+traffic over specific protocols on your network.
+
+For each flow, Network Packet Capture reports the number of packets and the
+total number of bytes sent from the source to the destination. Each flow event
+also contains information about the source and destination hosts, such
+as their IP address. For bi-directional flows, Network Packet Capture reports
+statistics for the reverse flow.
+
+Network Packet Capture collects and reports statistics up to and including the
+transport layer.
+
+**Configuration options**
+
+You can specify the following options for capturing flows.
+
+#### `enabled`
+
+Enables flows support if set to true. Set to false to disable network
+flows support without having to delete or comment out the flows section.
+The default value is true.
+
+#### `timeout`
+
+Timeout configures the lifetime of a flow. If no packets have been
+received for a flow within the timeout time window, the flow is killed
+and reported. The default value is 30s.
+
+#### `period`
+
+Configure the reporting interval. All flows are reported at the very
+same point in time. Periodical reporting can be disabled by setting the
+value to -1. If disabled, flows are still reported once being timed out.
+The default value is 10s.
+
+{{fields "flow"}}
+
+{{event "flow"}}
+
+## Licensing for Windows Systems
+
+The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project").
\ No newline at end of file
diff --git a/packages/endace/_dev/deploy/docker/docker-compose.yml b/packages/endace/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..645c7f1a81e
--- /dev/null
+++ b/packages/endace/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,13 @@
+version: "2.3"
+services:
+  network_traffic:
+    image: alpine
+    volumes:
+      - ./pcaps:/sample_pcaps:ro
+      - ${SERVICE_LOGS_DIR}:/pcaps
+    command: /bin/sh -c "cp /sample_pcaps/* /pcaps/"
+  netflow-log-netflow:
+    image: akroh/stream:v0.0.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: pcap --start-signal=SIGHUP --delay=5s --addr elastic-agent:2055 -p=udp /sample_logs/ipfix_cisco.pcap
diff --git a/packages/endace/_dev/deploy/docker/pcaps/amqp_channel_error.pcap b/packages/endace/_dev/deploy/docker/pcaps/amqp_channel_error.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..313bb20e09266b367aaf3f6621fe9e730c489b5f
GIT binary patch
literal 2164
zcmaKtOK%%h6oAi!JRB#=BDhhgDi{!w9ZKvpZE1im5@NRv%CmVC7GTEXYx^qWnaRwZ
z1TPRMg78w2Dk52tB2~~<^*Ye}fg-U%CW|guB7_86vZ1SnbFOEsG#QfQjP9Ms`ObIl
z&CH{RJKwcHD+E6W2LLNLx&G+>672NAB#tQno@s@4Ilw~%G60ur>!UE*zIo|m0EJ@X
zW?$m=?mwmNt@`~>`jw?8LwHh&MB$}(|DqV1nwtgaR4Dgj%>BCpGLGj~_Nrr)`_7+1
z?!LsvP0EY;ZOVP{)6=;z6`t6HDE@Zh$m-TLTg!2S3(njtc=7vQ+shf;EiosnTV{bf
zWmhPt*@t>bGm9+S9OSr}=VlQvMsu3W^`xok%R=eHhg`2rPiv;mjI3!1UZ@DA7cZDh
z7u+(FIm6PISzaj5Ht)6_ZaK0Fp`6h?QDUaxx<<EW3mP{(hh=rca+y#%b<3_eyjT+R
zSa5tin5l{J0d;t2=+fZu(7E&KRcn^7T0%2kRVPe6*~QI*<&<ScdhX&R*O}?Eyy}^G
z=BP+ir)DRUsyfe@S`xy3Bb8cPTT41xF2_ZAC8=BGRKzwkL3t=eG~*c9l+?_^Y=`Yw
zc~6%WMXt*yrsg_Und71W-P?9PIh?$JgC1Jn$+3xPRUYXQGqa2Hbz1Mr4?XZVo}xIu
z-tb%PQ(EtDw}SQd_maK6wKtCI{r;0*Le?9$akaZJ-$#e5e32AgbS!dF@^aG76%Nz#
zYg#3xl~?S;<+s##j%}4>=#u{L251X>yP@bYSNKQi{TRL9!3rrtysuT?BJX?4fp=q{
z?~UKy-H%D{%VFN#=>0tAYr(&?<h=aj$(-6}#Mw*)oJN25W7yvtCv#rFR|0Y%Dmkws
zX8~svAwKEahUA<*!bvnaBVj%f^hqcw0Ll0n8FQGOB7`wkO%vmu9WeZ!-N2rWNSBLY
zj5cHpGyokBP6pIImlA^kz;D(FO60=<^!jOo7$T&>zX&*~OVx}tFam&YkVk`z1RU!U
z0U`*X-QHlF+wB2{6N->7E!Mt}68!<gm&l-mkc^3=T_VPFkU$A&7aad%-1dTITAt`7
zf)vXj^aGqwgg|F&UrOkiBhW$<nht};V3?qhawWUsF^|d5QGFg?8{hN+Xh@<6;muXA
z%0|8y@cc#!Y~;F>%rtrX^a)acBu^o)t4Wio@gRYJAh3WFiV)yZ?JFsGDggRjT}Q!N
z68QF0!2JgBGy-FX1#QE!C80s>?gv=MIYkK7sa}(sZw6Ff^A>8}l~gR(|I(7CPkjxU
z31#!_^vpu`%FN<)S{+nPOAS7BYMiQwtK3vqOO`9tcq&eH%03jaBK%m(2&rha_O<N8
YD?vqmAMRowew7tn2&<?SD;lW(2UVpPTL1t6

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/amqp_emit_receive.pcap b/packages/endace/_dev/deploy/docker/pcaps/amqp_emit_receive.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b9ce70e23d29039353087f8cfeb3071d2cfe51fe
GIT binary patch
literal 5317
zcmeI0TWl0%6vw~qw$N_DXn}G`gA0h3Xm{H!6~UtAP6;h73x%Sx&dg4?({5+Bv$M1W
zu_O>5ya2_^3%nq~2SY+=NFaud5h2zDHmvc1Y(nZ2;i`i1k|5M`&Rn|P4pSd^@WF;}
zv$M1N|DFFi-{lNHemih9kL5G-Z+MuoZn)UG_luVIhl|*Hc#nfIcRrgyZ{VentzxV;
z^L`zxo51_~7<1vcE|iu(I2l_VSTz0jJu_S_k1F9qSD}Z^{qi!7Wev?uj1{?1`v>M>
zKe-r<vD&UH$;GI>`;MtyT7F$XUC?ht?cocfwLuC#_yklvtO(vIlLRit@lsUMBr(1k
zZhl@8OYl)C-Y%*kL6O@ewJWZ<W{JH*J10lPkoAU_<gg@1;HHP?;*#K#IiXW?mBNqW
zi7xy#CktXUBrBTKwo`MJzztaxG)a+td{hxS#jxg@VtqTNN{UKRXs$9Yp|y*$CJ7vV
zJ=DfY(S$07gs2i1HCK_K#CEDuq+JU_z%Q&Yue{|e7I*`dm5V9@l~vW=HA<7TL(#bC
zOWt}}@D)pPo1%7+BL1#sy(EZoTnu{?a#&QoK=d{=t@nAoK~eO!Yg%lH-`~^I<5M}F
zm$a^KpP+R43u94ELmiaxtWu+p6#s@zO%r3P5>5ydQQ=1VMMLw%9ikcs1Nhy7YG1&&
z5Z*k6^<BTLzR^pscuSN+n}aE=_mIoOZoo%4#@3r%&3uUU=K9Tg8*`~KuxMsK)O-7*
zOIE#8IG3p2><Co581!~$2b7l@7*l+oZIK>Z(rnXnFk^8@Swzy>6Fem=uBjpy?%{U&
zxvuV5f$4V=izLLjX1tQ`+B^^23K8P4@x3;=1bz3#P2c)FpV<%d{66`v9pyWv`<?{8
zXM<iI{98$!_r~F5K0*%fH91Cp??Zl%J9D0eEde;pL!6_)*#uWOZ2YXu>?h8=(VXrH
z7UvZ^KZW3@+~sGC7`)rVnn4|h4P#ld78!lLCd0_t@dqcnOUX-(9ispk3v|HO;{Y-T
z$i#dTpeL)l6if`*1F$RwY$_ng!C(2#SxPP?2bu{m91MVic?1}fB?J@#0B5_-m|x&w
z0$kv*$x<+LkW7@A48z1cFmaw3YjU%MjOnZ#OtAc@5{XY}<76eFVexh3VL-wTPQwOS
zmwb(E^_WP*)_JhCoRF|h7zY9_VwlW`%m-vKrR^H%<3hn<qrW!OPnOC|eZ$gnu#_VG
zF^dKDC$Rup(hoV}+=DZz2R^}J!-*tcCm$P3j^QH(K3a(LhMkWWfm1viHUwWplq>4H
z7uRg-;6go-V3i`aHt(q7+kz1S!V87*a*>C<0~a`K!iZ)LVHn(>W*COumcXJ}E(+sq
zyD%ytjH!%`69^TUxOyySJ>!(Nj#82^W6@JG%LOUf?^N0Vn?_!%i#_Zc;Nh_GdMfiV
zc|B$78(#N=*U6-R+|Fx))&2{w>jaI9RQR>7m_MRa@ChjzUKj|}R4-guRpW=VuZxqz
z6;VkRD>yX*C%ml1{UL?#@Qb~oUlj#W+98H;K~z+Ytc7!6=rCBpVPoin<T6Uw0@IL@
zu*nZjs>NgoZ|KcY)>_yAhNeBicvC!_y&`OPj(yyx7%Kmq8LFOpwHR_ArckXu?(`vC
zwuNMwk#;A{8z=4La!NzamM|*}X_zur`}84GTZFjTO}C?Vx)HTIJFU3GrRBGSZO!`{
zuML5AR{wdXjLkh$X7-<`{n;(IWB=K40kyAirZ$u>jJlxTirORnr>>0~&Hw!;HH81U
z{uArnciZjQf2NzT-W`|CdSBP)QtQ6Pp<OgjFPY0VtKM1tXI7Uye#7{LyVb|_pXmEH
z@a=S@c3ec?=^LhReVz~Pf_eUsd|O9qw(rsXCvs}<ICIj?v{v6VIYxdTLVgc8b4L14
z<ZJ_uQ~#OXNSx4UPUIPjV|7;9en$FFWITP>?bv^Id`CIEYch<S9k?Bg%posU|C!A&
z`cDLG9tV&Pk_l_`(UTRK1165x191B>`cDL0{Mk869fRcHW{!g+;J`<KF<C;uNdJk9
zz%Opc{xiLaOf;Gd!-Nk^oFInPf0|iB#$)?WM1BQGr~b3!d$N`Np9ZjL51jy84TQA%
z&upaLf1>{1px+8X;IKK<>(iUb(v}=c4Zt`{`b%>+3A8jB&h&DlrH0NAL9>5#GZAj#
zumNpOw-9Ju4v4ov^`k*~)JV?+koi}zhj}!ySM$STy(AO#d4M`SR;9NP^sOA|UJIHt
zt=$AIXcwbVg#bMO*a89IuyM5}y_EnhIe>!};MLKt^v8o@=<v$fAZZe2#yvN?3YR!+
zFoVezh<W#xi7`5_sMT_u%f_5Oq+_;2@@k)8=S9H*NPm=Ksc}m*CY>7ibe!#%&}TY#
z5ub(Ge#~jMPh|@zkLN&tJA{eDCXbEjRw`HS0zL-ix<LBNv-5bS4CgvyCGe~jV1pAo
iwf0_~lkg*={V|@K%j72aAi4l<lJ;&;Iv;4&seb?^oADa}

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/amqp_publish.pcap b/packages/endace/_dev/deploy/docker/pcaps/amqp_publish.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ed1fb00b6b423033b85bb7d15a512f93597146a6
GIT binary patch
literal 2406
zcmb7`PiP!f9LL|J*=Dm7il!1&s*a}G4cOf^u_ziOv59rdCMMmcEsf1)X7(lf$n4B!
z=578Q#FSEV@=)|5c&J`H1bQe7h2CtVM34|f#FLntpn`arTh`z2w=+xr3<>V;Z+P#`
z%=h!Yzuzx2`T6nvuUc3u3qSQbWAiYvH@~^^+jA<*!5D+FW3B8s4d4)G!;JO&*9O?Y
z@nQXA#uSX(_qvi>x9t4(=-Ks^r<E%^8CX=}33lp>R*b=s@iE5Q71UN=QrYhcqd2Io
zY}LL+?N5rKc31NDJ=6vLNz|^dH??D^4N|c1IZME|9Y#)vsaJGESV9W!y$2`1?yOV|
zOL!&j7EH&U5pLO&%CmgQEa~<vFEj^+u#3W;g_8+G_k@|Ub#qQCU2v0EE#uv~ZE~w%
zJ5tOnOQjP|*xZ!Du~UZSm~*@+m6Oe@E3R-{+J#h3=~Y?cwiKq0mltMqVO3pTFfGU9
zQfW7x%CakFOEM1|K65^tY02|FT5l%v#@XJ?Ykk@UXG|<OQny~!vbLF0g+1fAWm3fZ
z&gF#3ZI2hVs$Jx+21IRSESJ)>Jm*?T%F0{m^y1=T%GC`+$nt#3bjs;?#nL6}phRNW
zwIC_!4=#_jRa~c7HEBojOLWJ`c-sPZJuraR#`;pdsn=m}0_&R_%#Lbw#8ccZOyoDQ
z-m6gWKVS*tV7=L|{&lSP(BrV)K`%{ikEW-g-cvh2?x}Z->dn4{YOA34(e7Qoh!#EY
zI4fkSYLGimx?C?V>dR@pJYU(p{g%!92U;cd|7slz{dTa~D)(e?B;Sv~_chodMuhM8
zYmd<P>Yt(SMxUprq0j5&yFbcz2l##-^jhFIM4as-IQ}GZhA)MjAis6UuRNUd0z49c
z!xF^#7dV$;h7sXs$p4Ty6MH$%$tLH`C_i!VlT^}-5yR|O**K_UL@)+x>&RIBCu9UU
zlUui(Zt`+2iV*`wPXn-X1i-&RCa#8nMzWl4FmW>)fbAG#PXU4){B-*8EY-dv2Y-ct
zz`;#$kRiZ<EFmBc0POY#<B6A5b^|6D5m_4Xr^v*`kP(>3fQdWA7~G#FWIV}w!32wy
zxMew{Ooo1WMP*Yk#fX57*1ji0+aWA4bO#J&3HELjtP^1BE)+-;EpbL=*I|MYLA&S|
z$XYI>1=g})ZH;K}MA1&LewGBi07#_MK;p255kZ>pr-?MMk5p)qvU^D_43qc_kit)F
zg(W0kl4*Fp3Y(yP06na~eVw5BebALAbYFiTBWS}G0X_r3RoDPVgsTg_5t+YFn}E0X
zx>5+BLi;7z25Ax|msA<N&?zD?1GNprto|MP2%2IIn&K{%3EmpP{|EREhi5t_uN5#o
zq`v_Ahc%sVl8vEIKWKxyVB<k_)8XDbp}%|CM%$b$Eg8DNC8Dhz<>m)+v;S}Q0l0Y>
M?FOY=f!4SAA53Z=ssI20

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_index.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_index.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5ea3accfc936c3ce1cb7a3ac0be65f288c7347ea
GIT binary patch
literal 3771
zcmdUyU2GIp6vywjyX{iCu#^T+3t1$wYRD?m6e~7R+eJvqw&_P82))eC-0qH@k7Z`I
zbTKGkZNz6au@3|ZAu%zA$O|SK<Rc`$zymz$0}uFSV&a2@NbCR1%+Bu8rJy_*CpkMa
z=ia&JcklVQcW+<)_RBgJX64I!*88kI-@j1D95j&BK~jw6FZOR|+Z!1BfUywCjo5~v
zwp+Wm+;6>l^VphK*Ul+WhN4ZQ57d>T4?2FtX!{%S?Pkcj-l0^_NGh=_-Iv;%7)U1y
zwy^BPi<%+n;-#%D)PYV4i?T@P@W|}wCSvILEX;CHllTnEzDza4hM^lVvJVdX*qTj+
zxxE3ydE%G`Llob)Ln5qkbg&N;eJnE4^HzU~HR;6(QMB`tELg-PBD>vZ!t4b4llXSu
zpSoLZ*Ppu$+w+)v+ng2Hy#TxCG4}&B_a4X_!>RsM??@sqgtakY<z+4@iY07&W5Skm
zLYMd?)<QLn#EzkX-3hyBJ3>!VZ<~b}5q$!p;~0s=Cpv2US(E68fap*a(FG8V5z%%?
zmrt~adCin1EwN{3YABV!8g;k3igq7p{m)@`5(AO=Kp$PcSPkU6X1?uKx&f{^G*=9O
zE@O!<z%>WRH9P$=Lb%tn25<T-;>|xyHx_40E0ztf%c{v)Gro0K>h_&5o53@Q4|d|~
zXf3d7g8|rN0CojnmjO0LV2F8l3<3+4!Q6$YNkARrU#)$&>zOxSUw5{B+1<ZpI@gf@
zw)_!h=g>&vQ=Q?zR8x5om2SA-dhHY<YW3Xb0o8R-U4j2N`A<N`eE+>%88O^jlcXbM
zG+~!r=Y}_@JWF&Z+RG8&p6E&UCEVUYtD6HQCl^6IgE^6S)S(l~(VEmwiF&@gmPCCW
z)CY-r9Ksi)mQAgo8&8W3bJ7!;Qw>E-J@qQVT!zeLAqN+monxulEET*Uq5id3X5p2y
zut(y@(&-())$+=~m6BKHKCOx+@`_B{GGzZ^+>@#}{KU}IxppL-oDZ`UQi{Z5j`nOl
zSIz8|i)*LaZVe_;E_g#{!2A<M(ll`KdFZx3Z%VdREasI9KlWL~1!l2QRd;b%j4cV+
z@Dj^Nw%}gis|sqz@(Kmz3Hq$cXr`(2aaD7K#mDnp&PfJ#iAL5aOL9&%vTQvKg;!J8
zh2h|_36I!H98_|@aVcr2(w9|n*^)7skSEGRKC8%XQQ?-56#V2R)hf5PDq>tJXbyK&
z9oQz<)JegXuqH9(2!n>UU32v;o|Spl!e+*8A)AI`qgS0f!<DKbYXwDcNz=HWYS{T(
zbZLsaseoThbW+mr$#c5Uz111l3U-d?g{7JbdT^aaY|-(w;G>qB>?`cNkPDjR02vc=
ztRmK_`EX8Hg3FqOa)WnVa4v^)>&GgbyYgY@Hh7h7p?90gMGV9JFI^WI*QBh?o(KP<
zz4+g_3pod`R34RZlyWx;sH5AakKB3to7VU6yvcW7n6eMg^*#OlxV2d3VVi=8=OxQg
z-Sl8AoE}Ki220mbNIfKikg(~?ZKjn?O30<0NXk%2hGI!cC6g>?SaMiBB1TjMlF}Qb
z-LPXxj>zJm!D1BJP7cYJGc^T@y3Mb-Y6Nek+C6x_L+y|jIae?yxF(FOlcRv2$WTis
z9ZmzdWKB5Lbm1u3ll}WTh>4y}oC~o?zvI`tqT9avg05M-hJ9V>9>+Vab(E%Q77W4;
zv)C)tEq+f7pYD#Y`1R6<U8j%F+`H+v;lS+O>E@1i40l&a3S7-yU4yBi-c)*ISAS|6
z`xQ0Pens;oV=z!%L!+h5>T!wI>~|~`*+w%@&h@HMDXkB}Ug+Zrd(nsOp@O<w|KrS|
zm{PxzwKxhI4$2lvF*hv*r^FarQPG8GijJ@mSK$d1D>O#)rtL-F5*Bufd9U<P+&v<;
zBjfI7fF&|agN|K+qR|prR5kK#cpews9hBom#&ZAYP`}bxCB;7<tC5nAqpp`nt5C&)
zEaS*S>I0#x9wi<DAW;BZf|LRvvcMt!;plM=Y4SD!f5$8>^MWW?q<SoO%LsRu0u!17
fRa5W4?!kfKT_dSsysd`N_bB~VR?zxJ+|GXk1IY|f

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_keyspace.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_keyspace.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..116cb24510e0751879b05507d5a28c292edd42cc
GIT binary patch
literal 1314
zcmaJ>Pe>F|82`p~omE?t@E_>mh0#FCmJx-P<g$*gq`NY^vUHlJ*_STuy4%cVEM-}Q
zmpYUeJ4GELP@_MGpr8;t1RcDrU<ieH3@W-rc$n>bGqZmNq=g?l`}WQE{r<f7t$%#|
zqzbB`{IQ;MeOm0`n;LkJe=t-bM1Z$Pe)mIv4ZuwRj$zH)DRtz<)t#oLrP;Ql-;C$D
z$a(6<w?|jTx7(YsS`&}&UPnv>B+(xg$yxDSWXvBBNh)`V=JbrBQW6`E28kq&jSL6;
z(cy52^pR^sP?L(T3#69_kwhw!q>-$qWa&gs=puqfGs%RiWE1Hr`J$p`(;C~@O=eC3
zcO1LL!2|9S()YQ66(**Ak;f&rToQBs#~G)XPHD}{gmmNwhi2QlUl`Gn7=sDAgJL}R
zekZ~Wyd`G<JVilJS60M&zIw^SZQRRX8+hZ-g0rV(;NTGU-9Q7s8d|Am0ec!~U^6q&
zkLZnvBVr&*GL&jvM9ZkM5|3+C*Sm<WPSTVjPg6}tL&%^M9wmBC&(f5S?bd+<#^^6H
zx`mY(Y(_J+A9iK*pv361gHZt)wJ=8gh#s5Kf7&P0s*)tJpeTt1<L(p81;HkCca?_?
zEW}_F%7>PngzQ*0FqTb>WzqOlBouO?MFotdg~fvB)2zYaHwQJAd~lonputHI_L!Rh
z8Xs*ves`eiWccaamfZ7;Tfl0~tXi<5nyXyRa<iI!K_k>xgn&PHYhwCteCFXk7G$tx
z-kX2ulxd%Y&7G#@X*>yEjM<V*_xN_mg}%2k-@}NY?faq1q-9H@uXw5Svg_t0lc$sv
z#fv4BPiZlRpX)sAMc)`Keq8<Oc_%+BhUMvw{LnFs;h9k=@#B%78;xsa#;qY(4Hkn7
zyjBc0H>fR<18?!s<ON=6h+ol^3rQ+p)e>2%<5a4zxa6=Ow|MQk6&H=IuvReyYwI?L
r20k24YZE>Nr^_VusW?ZJsko;2*lEC7;d2fY+`g}(mpxE$mFxZo^^jr0

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_table.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_create_table.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..adc90767d8edfd04ceebbf67cd7b41871ee0698b
GIT binary patch
literal 3735
zcmdUyUu+ab9LML{JMJi5JxYT_Nn9kcN}AL1r&tJ~wVYBYg<MMj|FCR#r+1s~?Vh`P
zg@RzgLhwON#HdB1fN1mqE5(2Y6CZry1s}i%AJv36jL{duL-G5Y-P^mPrKmg@H~HPn
z&dkny=J#*ru6{ppvW7)j`SI&&yR+>}Zw~ty9V9i7G-Dr)e9+F?XEF8)V-b?e(&Eg*
zE9<*&Hcs3eS@7iP$zy1YB<i+aKheDP`mVPzTT2|@_Cq#xX3`yfX}PcC>F%^#bh+co
zkJZVdrWm?xSf0Ek)3vE1vqRpP-qDP%0ZYwu+2eaWdNaefy2n?u$a2i7vjmH^_RjzH
z_3eZlaV3^RGf9A~7xil7#hJ?z;R5@@$by#lC%1>lX9#-~$O(Mk1c|Y@5511X1U9S7
z4-fKTx1egA#l#-Ox-U!Y5XO@P>mE4tR`t4psxI7YJhud@IyLEp>yBgHGf>r1QdI|J
zRd2dG-PtD>ICq+5r=TgSt~=ayn`Kwa@w}=GL3@U6$<JgqZ<5_%*W>vVjdodt5z$@{
z9mGr|0nz@k9n%qYMM9#Ns))uxw2X+_A#DNC49lCgrke7$_32DnhK|-WiH4>CsBcta
zuVEsR0O;_wpQ?d;)0|tf@JiPPnC9Kd;SlI7R5T9LEG5&d59WxVtYx$O?X#G_|0oqK
z$>vn34X^iAle2n!D>U`hQHdQvog@G|G?tkbY+ndA6oO3v>@2{R5g0;5%t2t0GMG@r
zv;;IT`KUa&K+Cj5POeVHA2_ziCi{ImCb3V^NfJ<<vLCLd@;$0+1MGJR9`)hmJ0aD1
zP))#o%gKHmvNN#Xl1h(Je4V5`wcq4!*>u9a6%lP~<fgL6H_076>tr!H>=iLkGII2|
z#QwmZNPOzZZ=e4-E%nzW>RZ25QJ)9(3Zfo>C^J!Owpq+u_lk|>TL0E^hNbg8_pBu>
zx0062LUzrxJI^t)SxS*%K>aJLV7;ekJq_~0OzRC9eD~j8j0R8d0WXdt6JkLU-vi<Y
z{(Q6A1A;KWwD8JC2Vs6V=7t_{5q^7q6n=|ns@(}@nuCI59+Uhq4}6x*@|~7RrF1NK
zn8fPJ{)xBw{ibc_l>x)_xT6dd6fLJ($lY-k*HkTMSXs6R!z8@g`8>BgngLZLcn|qC
z=$u0>lz+=jNzKtP8P^8OQ$DC`BGeU!t2%xPs^OG-8+AUQ7EMp_j67F7TQQ9x&StYZ
z9B<sBsa>&LEsG79YSv|sfF+sLl&pi(Msc}jTe^!6Y78Cet0AxMQG`?C7n>VWP4qpK
z=XqZN17^|9DFyBrwvG`>o<42Jqc-KEhG}`{x&^KkP1OS?Hsd+N;PI_dc?#l`6gdE0
ziM6A9e}49h#(k)_K*)GevJcAIj_z(04UWCrB`T$$I-VhPj6pq{dnk9(vma6miD{<l
z(wA#(C!11XkQ`5GXi_cRQB!(<s%)lIud$c+8QkG|XK1@#&rv;|#TmjR(v_Ek1#`Bk
zqoHQmQqc@;R5pt{#q-n;Y0z>-Yfv${mGyF@!NGp&X{CEd2$z}`&aed>c}%MNx#h$}
zbsI-Ml=M4({U@>Zn=yKh;}wxAo>G~_8+m?$wrLkF!j3ZO2^y5V!Fx}vNzT3Y-K%XU
z4j#GjgXqIu$S<i7^NpYsjnsgrzO8LbI@6i%>FerFk0LdoGjbIjr7)X+dzi&UUYHtX
zv%?esr;z$p7amQg2rhE)&HF1F=orD6|79TFIr`=qmSz@puBfJ|1Sb(x{@(;;{q7uG
zUqQei5=D?Q7<UC3_h^N26So@|IZqs+Q_WkQM3MezTq(mQv2$EF9VAc1c68jfBsRBV
zh|)joaTh@x9Ym@@XQE)ceyGo8QE#~5Gg6S>A(6zy#UK4q%eLtH5;nvgo<&ZgK#JbN
zLnZw`KzXOR#NP%QSDLHT@XzOpQ>G&qFV9xdB!wwWLDHi!5PE8npka_!3PlrAiniDk
zg9Mk1yBVa;PvJpmmDC)!3zSd&Q-o5rxZi#<A+gU;C!vLrXHTzsqrK{HoPQ!;oL4%L
qC*OnX_<!T*M7{|4l>|?>mJ&R2QT2(OC|z0ZMqeKcEcw$^?!N%2>;_i=

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_insert.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_insert.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..74c6ba51da31af3eda54b7f49d3ee45af36085db
GIT binary patch
literal 287
zcmca|c+)~A1{MYcfUs}e$PYiVl7nFpPy&RRfY_CRVIK1|2L=Z=28MbD21XD*^HDj7
zDWmE*=h5gZ4HDYB|4jl4GIDSQ7u-w?F7V?6n)Zhss5cRaeLVewU4udtJpDra6-tX!
zi;5LAKvaBYijIOpT3%vqs*XYqh|=UzPzZDM33Uxt&@ePNG1XB}&&topQwP$;xtS#y
z>YCOJj3z)MQy4fHSk3g(`g)Z>E@t}90dgf6LtX4>RD|kc<)AYkL9S)Ws5WenFo^wU
U3U_e{$ki=C7jpp30EGi1020SV=Kufz

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_mixed_frame.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_mixed_frame.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a0417059a942ffb1d94b138be12eaaf4df06ed40
GIT binary patch
literal 114224
zcmeF437A|}nfEJXUrEwY;$C*Z1=HQNFHx2lB5Oz_VG+c#x~jUnNOe_HOF99=ridGe
zxS)*dprei`j(`dZ;yNya8=#Eh_=z)aaWv|<AOhd-J?Gx4d+t3|=_JjA^Gt`Q=&Ez?
z{hxP#-*fJ{=ic+hPrUDt(40``pZ<Q+=IhU#dtNAX90%lc2%n9i(6RSleQfC1d7;q7
zq0lV(?Ag6$@5_I(_!V;f#}9e*(MJ-TJLj1DX3d^Gch;;0ixT6FKgqE<00`!p7R+zn
zWn!+`yJvUv?wzj&clXCv+A#&!#VmrEp%3{ubSB>L|4dAWPQkt6lI79wKk^)icjyx=
zp{-)UIs0QKjzilOLR&YSkAQO%w8+Py=f?PnCXPYRYUsJ%r00Z<>yHZ$g-_VFZOc$}
zFuHWn`c`wSRxe+WZ<cG-b>SE08|6ayC1;-2%%7P^ZQ8bRr+k(!I-%BRt_xRcg?wd9
zzGh>Q$kIg{YSm_`+8j8gR2^-Otqbd>YN?>XwwFp11NlmMM``JzrHe!qw_8N<?H8LY
zctr6RL~*xGq?;<C(3OZmK8`3}`-TlYa8`q}+b0S~24PqUZ$7!h&9+?=rFG%_#6+cB
zP+}Q6uTiT$KU^5g*BhngQKxTv(Lknix`%nq<S4}X?dIG6W)kP<=`YyL{V;itjmeLX
z2XS6=QV*OJcAUE`IKTL^iQ@?Ue(di-pV0s8+VMRWoGY#}aU8xLwD2W3e-<P7wFT!L
zdrTaIo)v}>v~gBdgYvoSOcTdL&yRd^ZsRPxAQ+Fn|1%%XMQirn@xU3M$KJZdqrb{A
zH+EcV!MyAd6B8aUdiSeN`EPK)&?O%I6`B3j#k>wozg_)m(!|`O>HGq?zky$GJW^O9
z|BqO3-uZqL$D!>vLR&YSITwaPpN41oI8J!;FJ5Ef81zUy`cT^m6+Opq+!h|nRcpmk
z<8cd0N5Y3+u76!%^3jpUnJ@JDM_aCUUla;`c$NNWd93=tk|+1TAt<f9t}Ty;MAvR$
zp01#jj3$y2d@t<RLhfI8VSlsM%vbu?Mc4K>T7^QX(HLpzpCkElrBv)+7umhGzffs4
znx%TKnjbIquj?;W@{MM>&?x2Wg|Ys%{Yqm3c53F#a;}s-VQZsYEWPOD6Km(!k1wy6
zBhHmuDy>m2Xx8)9#zd{&%;k&4I-LR<jim=8{1;u9jYlG!B&o&QPE&cp*RZ2hZ;+~J
zP0GdOmx-}_oHK`8<w`L(mT!!4tdK8eli6XxY&IwCeG>OMUawV35OYrdI2@Mhv=sBr
zJb%j7(GujGi<nByCcilALRT&x22If*I+2a%xDo)(6Zs~TUD#i#2~z*i=?yp;8ZQ+K
zm7(KmlhsNsUu+D)R9Le#WB?C%xgAm%A}^(!gMsQ-x-OH&g|;TC584z591z)gnj57;
zt6pyIl55)fv>g|b)pwK&N(>HW=VG~ftX|3&Cu%he@527ce6uiy==pkntJEsx8s!Uw
zjA%q@$oUl$Z8=~g<((MnZjg3P<O|#7%4)4y9&r-3{BBg71NlOs*3#^a*Q(_v)lPL(
z&KSoE^P{C)u{4rzRhmk@<$^LTVZ5<!XsFSo04NMhPEHOw+88X<hVl(8qA@gFX{I8{
zNNHp^6DgGP!^K3})!6_FsvQxFJSX<t!N!i!W6nPcULb#@UK@w8odb$$*r_RLcPMXg
zQoh;D7ske2m6V&6Qm#_2!lhD((B&g&w1x8xm8wG;cnCGsxqPTxEtYl;jy1<CBD&H}
zajwnPQn)q}-c@VW!&>l-@Mx)8s^^=fVz@b0ZiKy}9OTMEtx`if{cGZ>d@3;_SV9yn
zXANvY%HdPJvWLrjr82CfZ#`kR^KWf`P074o8X+Kz<;oP3^&R;NUvlH+N~O$EF#$YE
z2cb>*LU{Am@L3`w2}1}nlggzM{O&}BDDfmZn38jL5YO_%NN=KElQ>tagP7nzMG9Hi
zH4k7-&WU0j`=+W)s7z+knYI1n;B5!Be;uqhN&ua=13h2ZKhZhIL*Za%Fp^8hgzRxQ
zz;2!>RZlwZ<Zvo6@WOI4ycJ25>ftjs>61Da$C88T*uZc!=^m&Sm2TEw(5i&D?jnSZ
zH`azvtQJIZm@fghSspJLGEJl-@kk;Y&t%g{h%YHp$4dDL&MG(M)ZtxC35u~)CJ|32
zk|{!g93Ic_^d5~yW2tB+k>zl;R?S%vlF4K?g3Q||m>4LxSgtc*=!%UnM+-Sju)<kN
zgXi>b$=6RUO~N1p5XaUx<?GwGPBP$-fDKEv`mUVB7q~cw(~70=2ArzIHJeJ!d;|ZJ
z?;C346OxRu{0(HdMtG}pfF8mdi>0d3u(d@{+fl2x8#ip)8s1zfhL0~*rQ246$O5S@
zX0BE*maBOvsSTeeJWkY<jYAXhvsF@YR7FBXsu+wX6dIupp33CB81h1Z`inPKik~2<
zky^b_%8i%mqu$V~qoo5u+E)nt^#Tk;<?<4NIM-mDQ_Lybk!qlw6&eiwBy{?Kuzwlo
z<<vkA&XVJt5rD><87k@^Z{^Ho%yO*?V;({bey}aY4}ZO#lH6g)abnN4U6_bXi3t@a
z%Z2W6E-}%VUn=p4gmy25O5&6GI@;<E=xS?f^f~2OM`ebj(vGC~>!rgr9SS~GpSbzj
zuI;H2Vj5Dd?zP4)8t@CuZbswzDk;028+EzT1(Db`1;ZRIc`F}7V6HZOrsW81xK&Yw
zhs~P1T$vP`Y*h0Tjj@`y*Def9Mb-csrPwgFPO($(p3{HMNGTIpw=R0FTV$W({oyOY
z&m{%6hVj+04n(j_CrgenQXq_7C?%L%CHCrC*V<0k`iG}$Y1miS`Xb35lxQ;Rl&h#&
zCr?6(MiQB1I;A{+f?-FwD$&0^5@}amoownYs&P+7p@n*RLT0ZBWE;I>p72I0P0Fca
zSXDey)Dw_poJ87i>XTZ1)GZUWCl0FWbnq;>#JOTOe2&+OEj{RH(?(onurV-NuWbi(
ziUgjhE(*7+8>+W_Gu&!0mKLBeBMvI6Y9rjNg&WLfHN&a~+!xWBmO+6S)Lk6USC{^^
zZJI0j>gYger%IqAu_@DiN~=IB2zM@Rge5PIQi6gLCW(a&+3!=#T5E$Hz(KSnc^$Ye
zbi-Y3$F8Z<j0iYC?AS+jbb2V(R19kHE|iWl5O+$KDcZ#*=Zfj3)}>_7?Vt<A6Zvu#
z`<8?^MT*x~!=-#<*V=F+KT-<gXW<b>;~x6O)>=gV127Jkn!zm&SwX5NN_7g%Jmuxo
zN#4@FCanEA%)~|`T*y!4hs*fdF7Y~5xrE8K^)gN=e93nXjg=aucKa}PHBl;*M|R<Q
z;bN`Ok_0E>>m6M>WDj<z33692=>lrX+SoQ$3ZJGgGI(3R<wO-r9Kf)QX2Uf+S+fbh
zd4`UR<imJyYl3-{QimH(3QsU5FR2k_&#0;32Ay689ZFojh@Uz@Nzv2}eLB!PshFwz
zQkCfeLY31(%D@tv-X@{W|C?OGfLRa8JXg!SnD<lyR0)stHsQ$Ijo*#du=n?QRQ}%I
zmD(islW!O#)ETzy@U^Ja;-Q6^2QLm|TJyJrdG86$dU@RYyM=6=j?a~GxJ(G|VdBz1
z0s5_{niH3LBKOP}zWY`A921~%&kYNixO_-(-t@X4&Kb*l;H)rk9(Hj)W5GEpcr%a5
z^L*}(2hQB!n~)WphlQSRSa4qRH7h+EEPS<b{%pZ{xpiXKp~t*o(Z(5keNaAQzwAoS
z%YAZg<D}jcykYV0B_GbkYxeFw?R;*VcD-Toh#YfoE}U<{{6*cwWD@-1*Ie=0i@;5G
zxnc1LvVX+Id<B?(ySn*K6LXKIGYRg+@aw%{p|C`cms@ZKo@3%Tv|TK;b;J1>I6sDG
z`8YQ$e)z5LnK%YLa>L?V?Fo8CkG^5y%#IH+<xy#l4GnfC76)YZcp!F+OuE!s&7+c!
z-+hhSEn<80y(YUJvB`bN?|R(2E&hAn5(+&NdC5nM?U1Ma;wL?DR!6@ZT4{=Hy6<Zw
zA~AhiV;}b^WCFJ(^DVndO!~=`ktn8^Lp9E19aB@S@nP<C)JEJ}Bn-McZK6-lfjsxN
zcgT!ld0ZxT)LaSpT;d$@wA4##o{@CbK9BhunPV$6S#p7|y;Wr-Q68;Aod=`Hyz?%a
zEJtNxv`xBXJON~GYdiE9$C%I?sgy^@nmIKtS4ZVMHRm>&ha4{CBt0wOPQ3zQu#}U;
zA>*!mBd7ai`ZF@f1YhT0O68MBF&Mw!zuKP%wBO(Vnk()Y!|=Z9F}z15hKS#9y*7yR
z$v2vY=lH9}Sz*Vy*n%_spoya$;f^ulhukRkI)c#isL=Cz3(n8Bnm7(UKkCAl!ueMV
z&Wo-yaSVD^*y%as?Lqmx`EnD-Lr>WvXGPCh&t4W-kaPBvd^ne^+51mp{e+Zm`DC&o
z$K2R|rv-Dv1tumuUh?xhhil+oW6vj(jl}q5!^ONGOut=y)mInn(R5w|?gadL@`=V0
zJ?^pKoO8UDwh5uF8&2Xm%K{5>R=vc;G3YTC<Y;;x=LI=0h6TS!-|<3|1xHPYV$D)S
z;aQN=5$Wn9mjxE&-1X@mIL3k;M--3Mf}ArU&d=mYuQrL(dRns-yZJIqdKTn#nEc7}
zf;j*1A3bo41v!&Vv1PHp@Y*2GQ!X}f9HD<1p)d0ZU2vL$Gho5lwAaLO_*!P+tBo^Z
z!TDyNiDS@X)VGQ+Mb9TKI1jzd#PQJc6`!2j^pq08c(l#W*QIOrzV)?drzGas7YI)7
zkYjG_xXXfh@k1tU@ObH4Z~4J6xaltOXa}<2;bQ(AOut<{{3{c4kESyXZUKJ1@kn8b
z9{<OJb762bo6uGe+PdMKkz5v7kTa{+gC1i+&ZMH}?_ojCBz*Yg`dwe1b#x{2_>|8-
z+Hwu8TNYT5bK7=P9tMuFAZKz?bUodL>&$|jnFTrdxVuh7-zG5D_Apt)wBO8voS6kV
zGYfKN7Uaw<$eCG?GqWJ4>#Cxe1v%@cvPi_gvTJ5Rj<dvgW<icx7&NmWXJ$dp%z_*i
ze#xRImif#q$eCG?GqWJ4{k+%U%z_+uArX(&$g?Pq@q(NeGI8mj03G%}>8U4{KlRpI
zesd2Kpq>ReYT|NICYIlRR1l}{escoUnV{A<#)6y<&c9o5;wckHPo)0l9wuZz?VFI5
ziBv_;&n!6aI@ZK-==rpTubnQ=vyKk(b<w3JjzN!k!$NR&ihP<DoGtg7I39ZL^~t%7
z^RX8NZ&*ye$A@#-n!U$tzH@Pp8x}m5+qq$J*zrNk`_4Bp;qkJQZ=L-~aF=wsVQ~Sx
zUf|xaSPQ1#uD<;h6LXKIa|yUIvF^QLp|C`5$60WO&M<Kt+CC+;b;G$9oO|F|K6+(I
z=-XfUgo$I&BR4F*<gP54RP@*v<ZLew^Q6Gv!z!GcEwb8^H+l5P>O;uNv-m*sC^Em`
zq-B9sIG6pt2ad4{XYxX^gXzARF|!KCx6<bCX%)^VF&MwIr{8B9jN@D%I{DVQ@5S&u
zt8kRTTquV3##4egC*Rlu$5@5a!TF{I=T*UNPzY#q-%HT=u+I_1fE7JIwBUSwm6e_k
z_u{L6Q;@HRK49W#$8_j1R^fE`I>&<Z>@S%(j+}*__jQx=iqnGu|K^waa9&9gx$U;^
zN}}j;*PC5VI!WXL3+9vGWn#kPE6;jx&C|fWyGs(;jqG>3N#reH`t9oepPHC^G@W;Y
z`*isACJ}`tcJ)3B&hyurI1X)37uvev{1u$<z_WauByv}JsflCIBT0mfJoGj_lZqad
zL<V)z7?Nk#OZA~m@?`#?+VW-~nTkXoxBV$rpAi&zY?;YmM^K-s_#CG#@YydRgUn(b
zCm$`SSx@`MSPvXB$fGOTg1ShIV7fC%G?8+)r%+=ICVCw$uu?PUK8dLGAr100HP7#w
zdXWR|$4pp<IU-NM^{<l$Y&p{4Id>lQ<ynCi56N?RBoQelMpBW1;dCK6kSL_m1Nl@w
zHjs%&Q>kLAn9LVhxv$nS9*w~KmOkrKrogmieWr5OgNM&Y@ZavNW1JL$T_l#i`J5n5
z_UIlsE9^K|S#Un|Iul15!r}9ex$QIKK0|2J^G*xS>t18xIDC!w;_HVNoDZ)taSVFQ
z2->D6{L-L&Uh*ds$3xG8ZgT!sF&IG~@vZaR^Qtv_Z#?w}mrIoF5<xGKV{WuNwiLwt
z#2k}0czo5$5B%^1a9`aef?k3xT;gJ$4yNC(zP!l9bm)9FxF^D|H-aiGv8yo)&L`e%
z;yAROD71CM`2#p<f`WXUz!2a4V-v@qhY0%Uv)h3|(X(aqR(A4nLnzPNjFd-*a(aEk
z{zp#d5zhgM0Ku)ern((jI<0o;>arghTZE`>M)VdF>OmTLSX6Bzb81WNiNN#w@^H3#
zE|f6Ss*cN}Ma6bt;^7*ehu^*XToo>!G!j(nD<3e$*ipw1FGn5U@`Q`FS})qZEc6ek
zLOzZ<uD!ggTESTz{nn#ATH++MOU2ZtJ5I9`gpSkA8V@?ja`)gm`u4K*DQ+<|R@Qs2
zboL{Xr+XU(b$6=Ts#JKiSe=4a^pjcE^q_66ogRFT^qP2{bkNarG?s{E<>6no4a|x1
z2pAp77CS7G9~(GQR^&M5!L!hu+kY+^S1SJ^s`7hs;rXV@wdefs@|7RB{{~e4ZyuG4
zsxB2zUSAF3+~BYMROE7SR@iZ_wBXzn93&F0?!V#2Q-3HC!E1tTdfsip89mm@7ZIvE
zU!S+&ME_#qXqRy4Sz)K=VGGW!{s|T>AED=?HaXvdoIi2eg1}1mA^%GE%h&Av^4RAN
zmn>k<5W8=aV-n2;Gqg2`dA@HII6PjS{M*JHxJTGC#O~V?<GXKjF`odY->zE!Xv%Gm
zrt=7J<w-G5hR|3-+u;_Rw+8oH6xv=cv~|N72j?bumX8iep&MW3D?tr<q{hD94N01w
z$8n{*h~o7YQJh;bMe3+YL?Odr&r0`>NH?6mAh6Q?6-#>H7%SZ!Q9Kqa-G#|2#QE*!
zwoN8+j-K9&&ToN9&r0_Wli@RiIQ>WVz%f?3@BWO~ve5H#3(gMT6Dp3-Z$aoXHuef#
za6ThA6${R?v#j*I&%#$5=ff79B`ZxFgC1kzSn;LkdBlQq=t(AyBWI!KlRi1O>G^*z
z3&xJu`k!!m^_sn3e_QoGalLNw=(BRnjUCU;1u<XNZ_);juYT$En<v2iuP*WEv&jCl
zF6Ils^xM_buQxIGXgdE3-1Fhr8;=y0=y96`XYr#Zjzin|LR&YScY*V1c$SY7k8Xa}
z5hjj7kHn)7wd0YZ=kZ?YF7o)SMIL{=-Q=Sqk6Ov+A8omAE-nbHbpOKY9yrEI_uaRP
zuBW?XoLT8Uv(kNLrTfg*lZ?z}ww|2XdQxxaIkWZT%+`}Kd*t1KaAxbtDQ#28=9x2F
zPwso8(V49$t^1+QtaP7Q={~ddWdF?8lY`D?nKLWh^)9b7E8S;Sx;Nc7o6M|qZ*Q6T
z*spY#3DB#Vxb#mfU;b-z;!;oK)=DqEzVHAOpq`cPYU1*C!Fl#r5a&npd*B!=-8(p=
z7MxcGZxAqfUU=Z^Z>x>?CS>nmB304TwBY2wXr*Vw!k6IOA$;9p!TI@Y6Gu-FJM@@0
zEZR7Kw&2`&o{8hgS?KwxPtI+erRN84E-e0?59f+Cd*g5Z%fB)=-|dFQopQ{*xlplS
zp7j$G6CSVFdF_fXg8S7jH!SW%W_P-nmw@TFtN(nZiMdD9`BiYg1i#)J779z`{{{=r
z=U;8&IJA99XzPaa6L4hPN%=T8EPlA4&%`n4ksB86ttWRYdh9FR|L(S)6tOL+2gUz&
z-+joA*dDAQHqWAW&930w*<27<^!}<Zm|`<<j79IeKQAUR-S;(S7QO$SE_xS(c^HH7
z`~CAyFbzig*@Ly6*Y?Rm5znG`WiX!?oZs&V;*9#X3o~$xMeiM)*klkV|6Y?GZNPmW
zjlcOp*|N~<2x7pBo?|RHXWn4qIP^^P;_D&{PSO{@4SI|vn;pJxvEYPm?n=+cY;yi2
zavpzRUSL7a)_?Zlyk^bbAMg0w_X(X{^2wz~%Q1=lg84BE=5Ic1V#4EV&iLFLeh=<_
z_Iz^b(TVX(k9IL{1JiF;>86RfN7H#9xPO3OPd?FDLfaQCIIEv$;yASZL1^oS^BZvd
z3vz}(V&WL|7z=VVJ&)sp91+E=p9V!bc&EuiM-+E%MHHU3Asvxk{h#v!3v$9Q=z(J_
z$Z<sRSS-j9CO-gie!Ka~29r3gr#rWv@wqEcfJx7SoDP#G{Va&{oM-jGF&5-pdW_hz
z&{MVGJoFS3M+^PR6Mnqo&TT%S3(hfuv&(|>KNp%f4qw|We6?}jZ^3!tZ%rJ79;3ch
zd?|W<WWjmu2TU9fJ+h?QE9W*nZ~X6IJo>Hwp{dud+54wcmy24v#iL{8m>WCpvS1$a
zX_Gd1eC>Vj-zd1*F7fDCWPhxSc|VwbyGr{P4rw~G;QkJNz41t4i5`D$!P)K`7dW*2
zPH5|fv-~&n0t<59>mSE?=`j}MT&n1Kycgt%JfiU7m+No-Y}J*><5r)4wB<Vahk1bo
zIrju}kmy|F7z=VPT`#(x?!t9uLC(yAoS6kVGYfKN7Uayl3)X$fLv&_A&dh?GnFTrO
z<+?0OQg4!-+K!4dTTjkxJ*nSM&f|eI?}D9q7wo>?);RMn*s*+^+S7c=?#zOmnFTqf
zMa(S7nOTt2oLP|bIJ^s1CP3fK#HD`%^d8?6ntSv_?ydK||LkEVKs^g`)Wqd_!8!L&
zL7Y=gGAB|E9AiOF2WPhh=d-?d3F-;zvxk|Gz0EfvD-)@To+~Uk?|Pw?p4)oyb(00>
zO}@Qz40_BP7HxWdWx@Hqf3F%XXQ4;l9c7jC^3eRi4b<0M@8j!rQ1siko+URW>^mA<
zdYl|{Z!Y94m;-4O6U5gIeygtt?n}Ddus9CcALn9@gXy=c2mWAU?$LC<1YCL2)qBH2
zVToPswBS7NSQE#gtt7N{!}%aM{;el}?O!0|rAKa9e93)+_)<lWeL>FO$JUb~tIt_v
zb?#@n%Ic5E%Cq=D^C&p)m_0wR3g_Z$df*tVa5T<z-^`d<h4Xj13P%j)s~C*m*;l^E
zG#JO(|2X)qC!C7mc~;?Ex={j$;I!rjah`4u8XCt~h10=#tp(?>-<$O4pz(xL2^xR$
zIfBr$QRsQ21?SE)OdN-=KXu_t;oM}wd4X>`3xghG6^`Od;VhgNl+ROrcW*uPY_`Z*
z;k<T9Fo`_Zzq;l1YxbVBJin|*5;@+RM80RiToN{A1&^=4`<4gifqQ6|Byv2mKi*9u
zKLgWmSI_h9jI~G8c__HDA)hyiC@j(A?<_c1{m@F=e4(uy&Qq4o4{Sa8=7x!5&?8CY
z^X(*}=ut_;-8b#;Y3oT5)LIzy3;YSbH*q>j6hZkmFTS)b@YgRVgUm9wp4^!;1!dqE
zTTfnkf*8ScXOO?!ttUnBA4Xt)!GG}^robG_`Vf}B7Yp@lJ*fnCg5V7I1#xz4=z(Kw
zJ=wvz*n;!RohFW>K#3B*&3ijIue0E+^KX``J@~`D`1*nc=gN2VpvR1$Vo*vx3swc?
zbIUy@jw5HGN7m6;<@~m%2P5eBed{XsykX7W2X5an&?ADL?2VwmwqV{K%vx_4`T3_d
zgFDzIf}RYoC%X~!Phk4(>T5M0znacLaJTp(pTZKmdc=ZrZ*ZNA(6&Wr>xNT&#{9t6
zlk@yrqk8Eff<F4}b_7-Q{2$+XQq-{nG5Xc|0-yQeo{l;u2T+G+-@i-SY8_cKKd|-W
z{Hsm#FmQ~mCoerkOl`X3^vu?i^=ALNbG%zmipsA=ReqIk_OG~8o-;Wx^7BvMgvvcz
zPbyWNA~^3nB8XGC-c-4cTn>)0^<)R<b_>q?K561;)A{sG58OT}5y5MMVmgYRuUl}A
z{IQAS&_jgk&ezW^IA0$%aSVElttUHtt$0>YK5skT#PQH`b2mAE{=S8QiJG7KYsD+q
zoVNIDl|?-=#KYbU@fQo`)w@mF)||HI$}e8?FW&}tahDA7FtUHx%@FhcePO_^D*l(a
zYdRN$`yKf8*4PS5?CMYp&L!Ws()JyptsBm}ey}jK9;W5P0{_s)Q0S=dztF_l<E2Mx
z>}WefXx_MPE+6%Hz=r|!JI(`(O+ZIzLfEQqgx&v>g`pOh@^J_|KfA35ju2LA6ZWVG
z{Z(8$k52-G#Tzzn+H%^)ty@prd@4WZHL7ejyel-jazTP)FFqxA#>Ugsv00(H@xjDk
zOr*T<fgm&ATWAvDNN3d-uld9>n7Q|n=NLphDmeH4=fcpL5F#IknXRY#p20J4R)fQM
zPwzQ=sW9{C9Qn!hPYlg63GR^lOS<vP{<U|Q<Z9V}Vi~fJL+<x%<R1C6pizwb9)~e-
zR)f<vipxSmF0!8`tSX~83P3+$U-TJ;!+#t(9%jl>054NGPu;UHR0mT&jvT8;`s+z;
ztr|z<IPA*tvRQ(I91mH{_0iDm(4pHlZ`pjx=Hp+I+i=4AQ;**mTDo=H`faCg?fl$u
z!p2SOou8t~I28CfIn6gm;fUriL_7{Bo|W*5f?0y|8*u!7SM|?PsMzuejk6k@j);Ym
zS%~<Mwum3K5cboLn!0yHJdTLN-3Ys3@50c#5RZHu5x?UG{}4ipSmOv`SGGlbh!BQ|
znW74XUdre6ts76-xM5p(qExD{4Hxsxe6CQcHswb>U)a7j+^lUcRU7=8DCF|RVx854
zYr~DgSZO@(zIY(~qSH2S3O9B&nx*kU0czj_BE>r))~}7L?=_irv=K%d--YS#bPWD7
zA@&f#`35*&g;@DGOn>QUUt#75@4HHP!t|#NrVoMXIl}Z6d@gaAE>v33T+hi{&3ZCF
zk*_z)O}0!>aw%0x`9{g*zNa)QwL-oUKJ$c)r)>;xFYP+&*{b2$j(omjk<SAE^VZtR
zkk7c>Zt_$y9r+yhr-h*#;7dM^d_Hu^Tf4~_oYmmGvn`+5B4@01_5!Zo?qEnPn@1d0
zS`E$BYMmp0Ld!#oJ%$om8k!@f!ryt?SVH}LU+gg$u2^Q8OlS%4%0|YZ-ESjrKgXn9
z>vnt?-M+<VBSQOZv5_A?h-0kAG5Ba1tbWJkyG$I%*50CIi42~2l_7)K$Y2gKSS^kr
z7$SrD9T_Oyg_d}&Mi`xfEIjtZ6^GVM3!=#;9_f9_wo;=R-k|N2->Nh1phTO{ToF89
z4tu#KHneIW8cE05r9Bpjr!uK%GLcLsIZ@iPkyJ91$tDxgSTY?+Mg)NNXgV6p#4}uz
zNF}n#Y&5IeV{#yyi6j!4OfnNoMjf1ZB$|#z6Pai<9!W;yv1nYMACG51PsO6VE+)&D
zjA*rQAPRJf9%7MbG#TYRBME(aBAQJkQqT#d*-R`OPdn|&cq9RS0&=41csv==?a5?1
zk&2{KnMf=diD&q#+o3rV%_h^ScsiYpXJcuHoK!LvjYc_|%BF?0cub$4&Lm@5s7uCE
z(J0bLIqYWOD3!^^Q;~QgnMtOiLO$ZjB-61p{}50tmF5x$CkuQ!o<v58Xey5I9KL8z
zWe`s~9RnpBb@_#gSS%5Vq_T;$2rr>=V$oPU9f?6uBra0sxat=a7(n`wbR?6G@gt?%
zV~H%>rZbUL0`W)EO3bSUVxsO;Jef+OuQ)%H+WQ8eE*?koSvpN+vr$K!u|z7J;)+--
zn@%Q>TiWS1kw(Ah1Wq9y`8#ByX|x`VAs+sSf;2hFL?#gt8E{=Bo1%N#=@#`z0HyC(
zJer{+eL5yd4`9b)anv7AXd{eAQEVb1%dxSEG}71P#1mL;CXW8(3@j$8wa&F!EEq#W
ze#irXD*SjNBW4@HRHO~DIqg^;a!7C-6T;jasbK@zcodt-#uHhLGnUlW6Gt|YC?=SQ
zMG}x3i90yyXqLt#eWT!1B$;*2PeVF#i{o5E5Z5a)#BnSvDwR%SYMDelu8kR&Q0FGG
zOghc*e@%WSn@+{DNz{SQW#f^UZb!n{I5fqvQA`4BSMbULa5(HLh4>R`=X9Jk6H8}d
zE1Qa9qcJVD1npT2BLP0Xl|nPBTYMvqeJ4>0CK6A^)7sUAUVx={3>QDmXl@Yzb`wcq
z%1JCg9(O{3#F|Jfh6Tpa0G&J1L^hzKy99oVN-#a$FD4j?adtGGLSz}#rQ0*~8OKcG
z_$Ts@Cmi~*9^wW3MhO{&Atz=?fPzsplgwgiC|X+^`it{D2~rjt&!BdVpG`qGmKBdl
z*hmrnR68Lto*~X51UO8#eJhD!$A~+4Q9Oo|WfIyt@d?gFDnbt|qj`-J%@7&DNl1`L
zrm*UEJCQeql_BW_CgijuO&lnhB3`Ex5#qBp6G9ZyrGpd^0LGD&#=$@$a1@Q;7g-`<
z#5o`5N+C)toFIzZrA2OiyuS;nXS1;+K1WD#og$gRTzUC9XdES?WVJaYGg-Jq*6ApU
z<5<#Ri{Pq+rRb8>pvB3>2~3Q>3Gi4u-K%cp8$l0o5h1fMrKwMW32_)}JWUcvgQK{@
zQqzQKp3_5x=!&qU+r^M*gw|M$*VS;PZWr?;s7Zt%U}sZl9g@I6(HL0-tHYQx5p7i|
z&P~NqaWO0cC?4qIkn#xDII4J!WHgPRl(>LCh|iH|GNajAHIPao+-x>WTU4&VRye<J
z0PVqKT+9PI#NQoqQerpJ2o8)H5)~b3LQ5PQh@_JkZImmV7?4WgrYL~G8O3bLsSZvW
zdI(^WeEEV!y6r*>sU{8ATtjlu<VygKp-YJwD4(pO+q0w@d?JH-m7A(iwQ3+OiJqRt
zxv>)dX&e#(A)fdk=?F2?v%<k52@NPEBiRo`$Jwbq$V&)|=qvRDd0UAG+DSfS1acQ~
z&n+k51Pe?eWg-npj;N*KX$MMT6;X=_5EZTT4InN_q)8Gnw#HY@RazLu`AKF(XM((w
z{=^mVCyapbB0<YRPovPJ=p#ziAhn6MO_DZwBZl)Nq)>u0=X{Bpk`{?k^i240y2UgJ
zY>FW43*~BCh5$?tYl7p1(CWB~C>on5o0BuCDCkFVi*bm0k#hti!ls?bMra|=6J#=^
zZgNl3@fB<}hK*BaA=6kqi-0r^MB<A`i$F#Q<G5}|BS1-{CX@@9_6d|q2u#N~29N}2
zx1FR#)=pw-l1!n&!AVCjdfo?^7JHGpO1Gzp2`MQ7q7q@+`4XqWv(O+Cm1v3I=<_k8
zEDT_Vk(gMLV>}pLR6;pHUot}y&h`1!M+8$5HpYmcQd%!?g570tBO)-2xlTvfMeriH
zQz&4j^snj9MlnvJQ6!y4f`kIcDQG8<5@H~o!U9lbZD?F9jX**kkz}H)n<zTLKXHfz
zLc)Y1D&R?Rl#!5zW>FkQCq~srIuZw=%n+}FBvnE7QQ?w6F)*pP$vU{bIy*@bN>!?I
z1h$UKRI}7-giQ(w(l9bpg71ssKAb{!CC8vb$l~l3xF5li`U@iw!D$H8OWL4;bWfHc
zTygG7(x%j2@FcktEs1-tB+&9kKoTQiRH_~AeNvF37*-#V={Xa=gg7TK2o(@c&7r)e
z4*^giAwYs0A`-o-v*Y9?sfMu_EQ8RZo5^mRE75^kFAJkiGf7SAFzi{16Zldf#5;@u
zg-};X@um!-k9db`0!pfrDv44-oh|xGOQ3-aEEI3k&6I5v7*a+OsmNkZb4H@0gj7N>
zrMkloewE>LiGWn9Sc9a$KI$xy6DQ(Cl&hp4)vTNhK|?z^nfR$Gks%7Tl$Z(eE{$QR
zv(Y%pCGy~Dl(0HF_L1MPI&_Tn2$2+oayID)CK-%~ousMNmG|^P1N=xqLnT5oNBx|=
zf>bL-9Z;AX3Q{T~^f3&Iq8<hsY4}xvt53#o$U2=yX-Vn>BA)6nLG3}cfEE+5=$bI$
znV2gzE3uBW45U7rKp>`s2#^zHvXY2Y*y5pdhjkNZRf6f`G?E&*mxv~Vsfe}`8ZdT=
zVpQT8I?kw)S8_2{N020~##6*B!Cr}sBpFG`C4)m<aP{GUj47mcB`6^zWT@zqGCCtV
zgnTJaw0@;NjFKSK;1e^V090p_9#8-zlhMR%RT0?-D2hZ6NLGRe(NG9MI#@0amO&i2
zpBhE>k+j7lVGmoyc^K9Sv<xnYh!pD*Y%yeA)?@30eBxJ<d>{iQtunrgAK*-sd{R(p
zLxVxG76Kq9P+~|as<5$h2HjL~q*1~v^r&XW31ksM9WjuI2jRMz(Fw#zz(a&_)S#N_
zL<-OpJ#s2$sX;JG@qW}3!GduU=WH1zOMIr9m5NN2rF{(3)KE`EO0FfvD8Hc@;-q%O
z#i+FCNxEe4A-|<=pzt6Ys)4CA6MZoTNWel+us$0>QBBYrlyF?<g+AgSZba>tqF9h|
zk&dlNsW~Z)Wgta%bgBW)ma?8mj~ZZ-h^)Aj&Zzz<8Sw?Q>0&1#NewO|42~dNrI3{j
zS;=OS5D*i!i&i}LNb*3P<X0K05`h$xh>V(?1V|`nSWfM!nyEL5!vp|CNU}g_su>51
z;3a5Fjj=H>X(kS%14M;O;*m@gDDOkB$O(z_o75%gPo2%I1R))n%9v0_bjn^a8M=~~
z&HsreYJl1YTbKf(lMZCGr3sPV7>SS%@IEPkRh7~wDGjq{?ua3))Fe7e(M(-Rn3T~J
zH6;Rqkd+dM$u1NRRG-*RR#^ky$N`eJ2vv$XRVef^g2L4?dI}jLE48&!jf@4TNtiYv
z!SkKKr+9=#l#Q!O)g^YM?2_RoCM_>9CR{KArutH6ll+;BAQV&Y;>jFS%_s%KMj})o
zX*@@jN_~`%$eoBtmVyw-)gZ(XSc`y8{U-LW!W4;(Du6ly@4(5$yaij5v;=*+#jHqp
zYM@OsN}+~>ZgeW(`fMpY5|n6+qp))3GZdG|Na|>!D3M9#HIk}JaRQl=qr#Ao=@il{
z@l7HU#*Q^pOA-SWAtV%1fTTW&Gr|zfoGb%GNJn}M(m0|{#y1&lAUzC-i3zMqH)CRq
zuS7%?##pP6x00e=QX4A43e|v1pPZHoR#l7yegc6KAA*J(NtK9z(2kR<vt=4gk{_{(
zsD`^b&1yD`P|j7bg}v#s>70>K3i>23#B^Z94v79tg+UDlNX@3jhv{NEM0-gHadf1)
zVbYFBM+Jx?$mA593R}kG6tH+1Lukp-T7EK`k;01zi`_HSR-TGQiI+-#CrSx#nr=i!
z?IHyUG$koJHQfXTxWi0{{%F$a5*wyA6jLMYkR0$uC|Rje7Q{*T!LyyQJ%bt`&<ZgG
zPmwX4kS)ywR<4%9S*i`CNhwiC8>k+ug(fFtKn9_mvMEh1z|0-;Rv=^zy261u9Ubd=
zgFY!l87&hp2quV@;zFIx_=mcVqE@mhSxc4NoK3Qk0h9E~IKxpT&0-F)fn#B;2u*=x
z2s*?rNpa+SLXwh{bVhlLOk^a=G=wT$`>@ainUC;9-a<bZ1t2TP;UoyM4TG&HMWWJ}
z$cBLlNrhNWJ;p#*Iuu};Ut|m=Lnn+%m|01UhXiF12<JG1a`xxd>Z61Ci9Gkd1`GK{
zBVR4n^Ml2)=HRAQeY{nVZ|U460%Uf4Pz-MQ)!%r3@xE`zPrB{LJ2yXb-O$_QX2svQ
zSs{v&k8{H&@qy*$&5F)VkFP(-O^;=s8)NO89{q<c3XOvy9|xx#UDX3;H8|(CZ+a}2
zn<v~Dn=3cQ*77;RxiNO6_m&<nk(IlBgWSJTyG6Kn_p)^EXJX#7%+B>4m#;s_9hYli
z;u{_&r1QlhjN`yLkIv=eFfsCqtcl|Y<JvD?gD`}NvkfK|!vw3rL!syL>F>ovGe2A@
zxg4Bq;ouEdm_2(q_!=C1&BnoL;K+S5_ud(+G)7;$-o$Y@_*$ETa{?U97Y>f(v!)jZ
zg<7RGUUgYG%fiB~CzxG(Soj+({Hu+Hmx1$cx|WZlgzK)zm^cm#e`~YQxqYUTi4qnF
z3(w*6%w8<Wi>-wLE?77v(;I133v&C_<$BD*_4;?2)ONV8%8k=6*|@HPQ-xajI9#81
zhi^rO=DNzwN5}MD7Es(GVPb&KvwCrzA04fiM)S?K`86zDeEH6<T)Z7FzF_0x5^yT?
zE+2=Bu^a!v#BsQIdz%aHaq8tOm$|xIEL=Q~&*8ne;H}@Iqn%s)S6X=Z>rrOk9!>lk
zJbd29!&|`dyU_E7O&o`Ze{1s)bRiyXn1TzH<t^83HC$(5;bYdd9umi@kHW&|Y%IJN
zoHE_Z$5BJ+@^LE*kG5HONk9!ebT9=M+EFe|y58`93j>93njLp^P>aC89X1A%&s-Gx
zK9tKxGjPb=L+AIvSslGY)?_$#v{VB6tB3*ILJy5NLXex-b3#k?G6E-)gy!l1u++^c
zY5@j!!52!q`(yD)xl}2tUyV>$ZnWzLeXTU`kM0&qcQ^78lBK%^{_Ylb!bhOXrS37e
z+hzIsXltA$FzP+`y5~-ttQ660bB1fhT@bN~1s;`BF;}bR<gM+zs(qr>gyjX5e08*y
zA1w*x^-{A{uPVeg-HU|o5B8#aktbpV2w&Dd*o*Q-Bjswok`pHBctN>ZZt}+XVvwdq
zyzaeOa!+)AiKyH3E)jY^=b?A5U(WMgzX}k$NTpqu&_(Jz_t%{5{G^xpwFw>KpUDqV
zuIO^n_%7E-_%*l1BSH<n9IC$LDx!{Dxwuo#lm&#Fx1P9d<5qqh#z(H7*F>GACg0|&
zlcnA`2Q&BAE#KZ_nz;@&wa6E*xr?wHdC=o7V&+Q)XG#B}P-`|zAo*x_nSK5#|7GH6
zx4Y}@i@%23;V!fA3y-@j#eU}^*V$5xy7oKUFV}^x2pXY)WS13Nbt!3bll8J>mN{Z<
z6P0oyFTxDDvXq#z*m1&qt2xF`wOa8^r{B4S3KcCs>_u*cWlYUleQ;}ee4<j?+N@(M
zqq{hLrKhvpNWQ>H0xjcLpU*oTK3@*=X?J*}wW@YIJVn+|dHQRMLV9?tIauiktXOW4
z^@dx`Qt>hFH4eVJ<Z5~ZW;)PgEiqT;7)SwQd~8*umH;1)6Z)O`Q0quaocY`L;><s`
zIrDoCUlf{iEV+u0cIIP4Z<=d!=5ODtoS7VY)E|Yx1&bsg$OmU$EJ1RVkL%2V+_#`z
zKm~l+jFL;76Wur&h>w!|meSv>dp!L;(eHP2b)^vKY@xKf*h`0HL8A`R<syso4)ruh
zkR>2Lakx^ejps(n6<IPlGLb8c<*S7f3*_b(7!#MPqfWG$U#N{s0_B=Td}YAw2}O&g
zMHZ2EqSNw1y#QFLu)PEM<YGZWKqXf%<%|4pB44g|j;<<}M)Iu+DY{JjZ`N{^@{Uqy
zVQ5ilXOqRMYM>yIZ+2+;XdyQ$#+YlAB=I#k>k!3ZU%ARczG5jy`p&sysyU&RY=TD)
zr#|HWFuEgO;gY9}m&UbpMp%kBmYd*hl(iyf<i-VYB|GQ^FCsQtXkXD_gPT@`@Vui0
zW6io05lbe=O7&8XAWUN8H~&!XJd}I<CXaIa{K_T0so`uuyQV4quT<UKkxG8Fq1KXi
z*W%-&E+$IQiZ7o&9jmUj>X=%+Mn1+w#><TcV^(b$T(IDnS6%Rv<3G0QLcUA>k{B^Z
zayx%#uRrA!{;aImCL3~XuDxVbPC9k-smv*aGRiQ+wUKafI4r$1!jt9Z7>l=6Ut;%R
ztR1^8hHKSuKJ1djwY&LHsB{wVG1kOe93JfWEcyO|(zY_DS=`WeWKT9;D$ddzqnEK-
zMRMaIYUR~ZaR+bnEGcgotSOFH7RFlD?YT;+I@%l)7ur57N7M{-yDAv85?8J%;v{?w
zo^p0VXp--$=2&pdUSRY;3BvBbInEdN?{a>tQG&3^cF02ZoY0OB%4y4UL$`nQO~1>&
z==LM-{lU7ICV#DtF`!U?Q@^=H{|?DtZy!st*)1DS+pzJ}Z6}^0dh%Ju5@isCkYQcD
z9<&`iO#s6V;8=O05hgTmZ%u?%IDmi|Wg`Us^;Gt<yZ-r#zdUsG%U|=I=0mARUMf)+
zBRN=QFZX)C%0$!P_|LF;c(c|H1CTzWa#8p`RKD(^pTFmsZ;5{Jqu>AIN3Oo_*E|9-
z9V(xzLNQne?bynA!c;dhP<M=HMzNySeJJ*vFF)sy|2QJ~-yi$P>Z^Xe=i^s%{(<<i
zJATo3JOJ@d!AygG`(@rj>z5SWp23;XxF}dOrvABq?a_PTx=T1~`8B7Ue#PLr#5w=6
zWaS@T@stm}m9}ZoIHMPRe`Olfy;5V%sMk>Il+=6p@~0m0j~`q2=PN#c^Rl1ZaQ!jU
zrQSn}_1eS)^R?5c=EEG!u%mA7^2m&l%#Y0kZ>9P!g_z^YFKfN>mOuQ@y5C)w{nSss
z_s8EoW4d(hnfIRtXMUy;yWQIcGrp}9?E19(w`b^n+X?@$>ykT;UiHCQBk#TS32)gl
zUHWd{f0zbsKSj?M<?Fk`deA*nl!>BU{kng9>iN(;XWkHfMrP=?@v9HNd+x;0bm_T$
z6F??T4!Y)E<=$PHab?l){;BvQH=J?VfBaMQ%eN$N`rfx5KJ=6N`u!e52kLHjVsjew
zyFyKh%qVyNm3!ll9(vbjpB@>z<c!~Z?~8}rws5+X+qnfY4eIT4Zj;O?c>fi=>CcNt
zw$F{d_^t1Y-E!>QhfkO;1v~3Ira`+;Gm0)*k1(U>{nzu^uYc-?Mh-b<^1U0cY23Zw
zO&3g?p7p)OY0&d>L7GwR{;T%dSKsi|ADtDO^})M7dU|pB*DgOm)wWA2xi7V#Ag_rm
z)z$Zdy=NsXJ?^96)es>!edd>{a>KO9*SRD43in#YcK7ms{cpiBx4uLEUB^$i#C883
zN}IxPq@zw*Dn)H*dHVL@_ntkp;%A>rJ!Q+e*BmbEjkwGygX9bicL{%0qcrf(f8WT^
z!a`PLRg3w0aYhXyD_0Gjzpm`({9^eu$lku#=Ly_~m9>D*3WPD{b!uv2=b(oj%T7~^
z8p0jO$K6Z*uJ6!_4d7}2@saN*ZhhDD-+9e{J$%icvp=_rwvMMw{SK{N+skIu{CMAp
zS6U7&Z@uTyj}D(4z4Vgb{PnuizVoMNPpg_&sHIQCtuo7tW!Y<MTILa+zKKPV^>V(#
znu%ig45?>S7vXjnGY;-(mp{QJ7|yZNFT3SESDl*t$*q0szW#$3?~!nSAP(MHMY-@q
zS<Q7~b)*K=L5J;CqSK~3)32rm)k4P^-D>^03%BPMS%@d)m7A}Zzvrce<~^6ko_pP*
zEpNH;y6^n-pcT73zaw9+sKw8$c^Xw}IB5Nz+6I;V8rAb|LmEBIN^2H5hKFmlCU<x8
z6GLQ+3QG&a&9QtlOr5}Tt9)@6J7$K5OJVggiy}<UScbL?`&6-W?917|edK#*N56Av
z{JUq&EgpUF#xZ|5-(*ecv_$s99ISADGS9LMY(Q!LalgMOk5K<_sM+3h-N|3RAf9Y|
z{OG>F9W!>b6BYJ*lDHGn7bt~PYO>J!pgsO+M;^D4ou@af-?s6%Bf~Con5w^Ce*8oG
z{}vq|a&_nh*Itx;#SKS4{P3Mm8<t1;4lZpkR*5z@Z8J<7FYMyYL}e%P@~3MpcJd3h
zeE3&a9JS+3v&KLB&diA?9kfze5aT`%kn0S5588#FI$0`hAE?xb%$*KqM%H+sUSZL$
z!FnnC<{y6Q=KD`P=9Zg2_s!~t6JlRKXl2jknULnRB;do15UpT4xwu%8r$5xB%$qdL
z)4ImpHf8v~aoziqkc~WWz~pXw-FvV|f7ZwYa~r?S+;sILk9_NGzu5b)2X6%GF&^pn
zU?-AUhcQyCkE`bz!};M_t4ZNqV&%K+uwJbdrL35V>Ii{<J!|a??%i<BXMdFZr&k?z
z>YSY~ziE>54=z>DoyhO3O^c&HrCc4DsMpvhq0tB{)G$9MY7OS<Ayb}(l4R9>OymXD
z$3)C$SWYSJV7qnu11$d=s^?FAYVQ{wUX)n=hPg-oY1L<5F>ui8S}dFR=a9-YMd!mb
z6oVq3YGdk)@vnYcz>GgmDe=DK$G`g3m7j>Of75T5zoU8Is#hJff}NK&Ohe3F8;rTz
ztF_6hRxlA+g<$7}2+%zfe-Q%zddA=MpP&5o-CxK&|AX`Dr@e0Prp=sxaPfDsnxM+<
z9GSMq%hYrl4t;)$*H7TmB;GJnUeyL&K<<p1Malb6^XcC&W==i*nAg9jIy!#RAFdte
z{DV{TvIch+aww!s5i~tBThHRTvH`t5ZlVq>t6h~Xg{7;ox2ykaDwhpD-p`%@hc05b
z5k68nZwxJ3{K?lI8#;DgD0DHEh<wxrA8%g%K6ir;nbq>{3BXVF&&>qx-<}a7|Hex%
z4CPWgKmGo#e|Yoat6mMl!I{qT1~;K(mk@ate@D3~Q<n!_kUvF_;LC-ugRbVkF(7T6
z|JN)=>se{a(0ETxpZ$#AkKXYAj#+tm;aeZe&;ANqiyfq<SE~uGoVxQUPoC%8a(X&6
z{xk)yZ)-Nfg;rhGMo5LO3U+#!(YaE6@BII%-+z9=&bwZ4$vf};-oj7ZzUn|9LN#}G
zX>W~m&~7ap{GZZek2PO*-*pxqU9e#Gv1exwdeN7=_PxDl&b;Xxnk^Ghxnb3Y{6D2x
z?TqUGZr*kO+BK^$SpJ%4{o<EDIWPU3E4DuW^M5=41xL_)Ao(|-*#!-~@y)c%l`MC4
z>j9n7uA@QzbiJ$b<zK$%iLai_uKJgY-ZroA#cMVmh<2qsyq)sUzxCAeW6kn#k9rj+
zTTi|D$vZDuK6s67>#3(cH@NlGbIvqzbeZ|&otCYq4t2JknosHZ($B(-l&Xq(|87C;
zN1OMtT@ZUT$s^G2=1|L>@jY=QSF0Bp0WJ-#@SKtx-X#^^Z1%EYJq!mIFkz>*FJNn=
zIqf|J{{&gSjZvnsWezieYEvCiQkC~_@^^u!ZE1U(oE*zF<Rm`wZ%&iFp!mDrJ<gHM
z9Jp|HzEKby=jWo15Tuol{Oi(-f5Vq~daD*La8Nr92Zier=Ss%?y}wdfZrQVhS;F?F
zLc*ydd|&f?o^@t3E149S^C<uLyRcDezCfgZG(UXew{_%Irz0M3(|!rahVKf+<-q;D
zzd~y7^0BaxujW{MP?lYTT~wpdB9-|p8{)OGa*0nSZQLd0My}C9?DEWu2io6$VCW0A
z4d!Yi9%!S{g4;`%ZMt27x}tD@AFzNIGu_XuQ*JEZ81oS8YqpT<x}%$TyKLj(-#WGJ
zmcawPt#6<Gm|Mwu`tctK_9GE|<w(7DL8<zJ3d_#5ONmeIqgU^iuO0g|TMt}z3))-A
zcCfu|2afDZN*(yXfqfd*J|tvp$J^=0*L>idc=yunz?-cHjjr-)0NrWbAM|!rz<g#W
z$vK(6(}C^S0d`~57j38Twc0(RtA~5Iu+%0UHmnD2e6ZW)u+7;#9R&>2jevmz`){$H
zZgg4IVZr@vquQx@0uJDT>r`hQNN<}3b~Xz+_8|-JhLdfTnvFq?g4r&idXcP)$PT&g
zZwski4aBnXi_hYm;=|V(q*@~L{&cgX=xjM7yOqkdPATPYw{WviE@A3+e1hu&60)!q
zuspZ3z=8cYNlSO8f*k>xjY0Xr%6`eu)wauu``aR~u4*y1g7I(X-cd>Lh^3P$X5}tj
zN`#j2zay+pkM4n>!1kjQFgn#+)OWaZe_ME(n&9kv-FG_ZcHGjTrydU2wZVjMgZ{SQ
z0_{P$^)xiI6L+n@9`klMng+KqI_kU?pwox9%_6C(sm52lxW3|R-XD0+ZaUr#``ZdI
z8-vpC874j80TH{j2M+9i$ntdKW=$8}{e6HUY466}(W9ry0(zKJ%a7+LR4KnUtj5UJ
zg5E>68BC`m!nPkWmMG+ZeL#ns;1LT`J-yiVDd{JmOIHnn1N*OJgCPvQ^Y()dH@;>I
zEBm9L&h9kbcGm9n-2Ds-5%Y?*7Po0dVCEZB)SE2SR^L3t?ryi<>BQ4yK|L_mC>ixO
z?%r<NO_pxD2C9y@y!*j-V9izw@_{ixA=lYzzSEnpdD^-QZe!o+({{|#@s!lxYis;Y
zkG;=2(7x>(?{|9bcHGimw=spsSUkJ=ce?QI@sBSA=O2T{B15^Ot%0`FnX}t`r=NC%
zrHd6#EN{<r?gKoye|@JP+c8U*`xckH)}RBce_4R$v|8%K9swp0lczCQcO-7xy1zre
z{iubXeG8`N%Nsg9?&Gur>e}{Vh)$38qX*WJ<y{k=j;u#59Ze|!S>9mL>B@T0($iFu
zg<i6xUO&>QI*rC))rkvqA6$Aj9(yc}+}n?*Ds<h*(`1oMFn)C}6uliyf2HU}H{V9n
zR)@bisF0q+fc8dV#>?J1*5qrpNNb9NaeqhdVB1xR@oqV5TG`)@9!vXbbK`koURxzb
zTTmZ89mIKA5ap-m{Xa%t2^_HKq-%<4!v|h3)KR(Rkgbbu6P@iYy4T&V&byys>99v+
zY<KCY!reYRO%~Aoadl5G?IOI>OS{R^OV?1_hBOOs7u9UF03Q(fzVh4c%-1|!z1a$H
zw@ceGOTSameD7-8?XdS*2iSGDlH2XH+i^>G-AbvBojmpxdAl!LUF`B?J9Z%a9Bj$l
zCf52gu})0ua@az0uL+fQZ;xqeaUYPk7vQc2>_;sO?bD|AQFgl>?&Gur>DgX>yB*q(
z9#B8l>bu>K^{Azvsl*{`_3id#J!t7@-}%Dx?!ZpjA%^2lpC4%1VZH~i<3RrQ9#pqy
z1N}Q$9<m|g9UrS-^JH(XvRdcmtX^W)OYMEhsXdSc+ZF2}8|2r4BFX+99VGd6ph$58
zNq!wDQo=xzUk8Td+;kT4I1|^Nmfj}PRra%;Wq!^*ROe^+Nn__WepkG?yx_6ry(`;p
zu-I5P<1n`BoSL1@u@UCOnTnN71!pQYHWi$ySlCo>rea_F#_`zFL0Oj}^yx4!1F&sQ
zu9LSLEcWFxZQq@;>t3YJYlcSh<K@aO6@ulKi`$|7sHJyfvEP1@u%fiHP*U&j&aq&j
zA+J5}P+&c1A;3*M``P!ZPTz#{!glo_g{S*&$ES}1W)G_6#u!T$^RiCHmAtRn(x0)u
zV?WuRdKGBt_y9%inYnVA^fX!eIn;N%6Y1<Hn+u&Cc#T;Iqp@r7Um&YzoayfU>~(qj
z+2@?z{m-LT+c6942jfn%R<JHhU=4dRTWwu>mkaGD$157G0`Kf@jI?;^vb&w4t7Pjz
z8v*S*B3%_7++){SlIICu9${M#S~c#SXteVl?3!5zo@gjn<>mICPJPW5M(32PC2{qs
zc4Q5KZRvIbSSNVeI&~(!rrK$@z~}bc?f5iw?F)TwkG^J0M^lK1K{e`eyi*0}ANKNc
z-w`1QKJ_?jHA{@7eM4fZiZjBSD?6jnBDn+MZHan(rcj>XozdQ!!QXD_PK7t|0=f4&
zRmPm1Du#JMp7-GiU$dpR-uWu1w1p~!<x2YX&dy-LXq<*l%y{hT$!xWBb3i7pMqp~A
zYPX+Gi=~g=^0ID#J%6m$Xy#O!b?fO)i`|{viGI8Kt-U<v-em2yBdf<sdd8H9+lkR=
zjSk+V)!E;4p?Aw_bDf=|8ndyBcARw44cEAn>XK~UMYPiFjc8r4+k+ezw%uT{)w!kd
z3AH0d2h6s$^E6sc?~djL%AZb)g?tqV)e;i~(?RxZKx~_4?kZVt7`LJ=9B;{_Rjuj`
z*hZs;$VKWAqMlUFXA{K+u#&Hwfaz(nU^-K~9U{Hk^3Eydn|TkE``d!!j(Y7t`z1U#
zAlacj>`ViPize&kX0ufF)#yg6g<B)~cj)wOcl($ayRVNGGWpqR$h%D{<$`S8=Fyk+
zpoJaJ4U4YK7-7%}U`E?i<5!pMW7YG=>~-QHe}SjXLiN1iG8Kpv@ExM<;0rYnyG?q~
zjmCq5w+?Sy<Fp>Mbmu1feetry*&NqDuJpHCy69rHc9|Wd%i2Mw?hzL9rz)Yv_1a{E
z8LaxK;S9cJO9#tko&$?o8`hR3MR7+R?VWJv%iguV8mryndV%aM5N1z+=+i>#qqm-V
z+Q0*^u<Z$O_HpjkQ%~s+xm!=EJpp)LUu>3-{IlnkHf4u8BhOqX3pk!?IpR{<=|Sq4
zKt5=LFK|;9XSv4hZL<h8m=xM*3z-`kEjeOz;f%(v$u*cC=DPdSE@{8lfwzNu==8VS
zXbluvZPXRR^;*7I$WvM8i$&Si)B|ljXv23V8$1TprrLR8)4lQLierhd-G<to>cxfg
zD;`5|L4D2pi75p^uE2&-#>4H4&F1~XTrpZ}G|CgX(NeX<wqs`TVm)ZV51OqjT+fKe
z6@jP80@cI3_V>m@cjYXTQclW_fIS6|*l6r-OouTK##Y+0WmvPu1|Jp^=y8gzukKtd
zZg1RSnuFQAf0%RF>`1+Mz$std-}{GhDEru!@{N*(d&{By!(LpUC|DHdYqnu_*V;0@
z%YlX5;1L_LGeK?%F3Xx@_3}v5h8#FzL+-BqdCl5(-Vfx7g`E})k};KTA(U09t*WYE
z&0^f&Zh=-eC`1HgZh1@qk~|%_8(YsUj2KzF{X3Wm0SH;*fQz)!vn5|{IA5vMyoIIx
zsD<n<*}UD$xXk6$OA>B#@*Gdu=*4=}(u*YtyFEN1h+)dU>j{>A_QB1QEq!&$6gM>Y
zKFiW;Fz~y~Eg%A_O~*Y3>TR=t^$^veE?Q9EmO~coeTZjy8$T!%+c8TI-9<5<irC#+
z$(<GGG<7euoaGH2U-IobzEmpVM$UOO-XrJ00Smdyq}tX_3ySHpzJBJ&R^%Rd_jh;7
zgOS$V&D>Y3xQ6Fzw$K|Kezdpf_7oH@o~Ox%6^z#|eJ*b<ko)^UcwI74FR|Hkov~tB
zHXm>?{p~giyGzi`$S#`u+lCU%9xk7jH0%Oe4(%VdFBQAEzGfR{cdmnZ*o6%qu_1TY
zcqePRh@BP-QkOjH+dq6s=iaw*``O=a>%e;h+T;8BZj8G@`C^s*oo(YfrsZqyZnc5f
z65JVk>azviy9pRzu$#Vdw)D!iYu21>o9%IyE{83GvrR|^yIbDwsX<m}oua2N+pz=g
z$hcGH&e(ZxsRipEnWYHExgZaYv8e?PT;hQHT7&TR8zn(_^Ztc{ZZ-zNp~FJEZPRS)
zl$`5()`M32vU6kWaFKOvYqnau5PbyFx~+%D#8qq^VN}ghE*gudt?)bdWIK&Edu=}v
z-w7u+@C6z?>BaW8O%b}+_Sq{ss>oGa<HJT>VLfQ+G@z1RJw7I?>DA$)ip*50@GLIj
z=*VofFctLsUY!_I|88)Z`s(p6`(7_1D~#rv<)+#`p-sBc+Jp2is0(CNIjUdz?qYh|
zEQpSVy8yCkl^HN2a(kLAaIS2-;4KELzAM1DuX+D*=Z-kf-MU=28x8=g;>U6u_8)7G
z56b<$|40ia@{PtM%fCF9?rqzD#D$C*1B>>IMhm8KXQhjh=gE$s#sbJri#7Pek{kTp
z=lpHki+kP%;i`For_DmGYmL27)n4PqbjbowlRf)-hqyhk7dd-fYjl@pv$d;0+*z3(
z`11mr4R=~>(r{}29*D~{VvcuXO*D)f3&A6n9-Ls(ql0-&#qru{j}doTEP!1V=-r!q
zUZGMpV^pWbhS^OFUQD9g_;}t}kL78yp*r<<fOjvdZ>6Sd5x!;{`c!CMz$?G~w-vl?
z7Tj(M^Af#?GCn_E;zo#f2Gne|KwH*Q_mm9~>ita~)9^G|I+&7en9k-3+-%){7c|6k
zu#2DN2I?`~K=p6V{*M1KZ=iNIXP-RklI734!LvEL+(124a9;4iMWN%6pnUX=*wC?e
zJmkZ<YRzd!Ty?{DIVJS*Lmqwfkp$<?Ip)4uvuDqB-UTFY?F-ETKrnY$FrV}9CMFxc
zUv*`9@s;4-{qdD{OlTZ%F)stt&+pN{H!=5UI`0Pes!NtfzwhC9K(K_i*I97B^>Y))
zq3tT6tsBlwA6^t%56|*(<aX52A2M+adR9XZ4?MZ@QoM2PTs}%@Ujfk1;JlxifF8o`
z??zbRpBIH%V9LiK?EDK3?|~zPF{t+v_A0LB9Z;bJ2#Yst-o)#}w{AUg^Qrut*Qn+v
zCU%8pS1w3!?8T?#&e(XGIyNgbH$IpcjER(YLWG~0N8V==;YjCxwDk>`x!0zx)<+hF
z&V&&8ILvIl^c_8LR)ceVo0&mJ%ClrV`b1tDU=Z9P_tkXcCpY$QW;c%PzkyLa1i9by
zkSpB`3fq4G$8Qv4hxWi(4Nk`>6b`bVC9Eo=n0G^vu<>h6Ku3-bA;)`sa%>ZJ_N|LT
zmw_oCM~)Xg`<Xp(M2<`=J4O)|2Ip|;e6AM;2OHc&EHuMMhS@1<JgoO}8&vm|!;@pB
zdMV6fjNzlg&sI&(4$V3|6zY3TXm0kH8=vsTPl>1+P~;c+Xxya85&1nwT=mh7aCWyx
z<U&zYa9;GeMWH)+_pf|3XHWX<+FN_ztd8D&*uS(niwO=QKZKV{Jc;+6DGafemF?SP
z&RPd`gL`SnTrR<jB7zGbmWRyM2}?u9!UBGJ*8~6&yvx5Z)Se_?67t{nULNXtmm2K$
z6dJ?#rM%ujZW%8P1?G)8(|fOWdB{IiOTWIGpi4vU<ZC~O=Do*fhL-Sx48+Q(y*Ol{
zgpN}-ZrgYqt#jmUa{OJgjSYXp8!9b^5_020dm&$xRP_1@Tp~2*%<G?Y7k`(3|JuXP
zsGqVie&v0?_~Oxr<oe{8gEfmp6ndWh9l2x8!A-6Dc&i@Y!lOoISv;Zp6NyL%v*Uwl
z57zRlzw!R!ecz6sblZ=2Zhq#vp|^2tUMw;g9ptg<!(Oh553L%AM$+*_EE|i&Q<+pW
znMfv+oGI<uNGh4hWRr<#ESZiZBhm@&(R4JHiD$SbkxFEf*=Sa`$K*gZ6G<d8nPeuG
zj5;{+NHiUbCNj}zJd%vYW6`)iKOWD3o{B}2sYsSD8F8P!fhf=^dWc1$(PT6ekBUs_
zHWAGx5-I3}(rhM{jSI8Vo{UEl;3ps_nvTbl^3*u($z(c_ilkGSNGutNXZWhyp*a)H
zCex{SI-QMYV`+z+R5BKgMmd_wriHV3OrM|5Bx6~qOU6^tDAGtd>}KF7mC43ak$57R
zNv5JgKK*8r=~$Y72q>0HbBTkK1wI{5BBMk!6-RguU$mz(h$o$nfs&27{6a-6mWV`B
z*+g1|m(Vz|Xe^$N#2_dV7b$aG^$Q9NApJ->l1az-k<#t4L>6w-nMf*u_#<g0=2ZhR
zQFkhyOeN7*oF7W<eFIPzkE8i4ou;zcs3Xo;B9%^YMJ$$0Clkmm?R1++qhE9arx1_)
z9Wv20T93vM4}U~Knw(@JlZc26xGs`S(LL>Si~1vg(swK#&CroP9h0O7uw$_}>W?S1
z5yqn^HjzlA5k90MeN9e0fz@W>=ughTVv<_xT${y$F*M|dJP@eDk0&x>wh>H4+7O%5
zj^!bT1jjKU%*~M+Hjs@+v6*Z<k;OP;No_rGWD|*Ef{9op0lAU5gOiSCX-v{L3Qk3m
zS?ByTq$9UD&LsqKy%Iwl$HJmg=`^O6NyOvYm~jbpZW7C+(+vOD<Y%(!R4kiB9r#=}
z9*OC8B#eziQyd$`B(Qb`uPgwE!>&?@KaqA$$5}J6bQZR<sVFuY(^5;&p2aW{;Nx2<
zG^4u3H{#fL5~W}w@nk%$U0vt}SbE2B@zadv76D*4krbw!#PZ{DCj>~WiNs=9U>pt5
zxg$+v13J1(;J2s*)6@N8f{_?!N8>3(mO)**Jwu;y%p{I~BL8^8p&#oZUchgZkU<!7
zVul1L7)3M5ES83%wY8zYINy^XWwG%LYS;ML6m(-*@tA~-6yZ;`6B6SY;v7PN!(`jH
zk{EW3xPuqPV>nqRp{*02;9R64^uRKj*ErD(kpY~91c_t{t8TXwc~e*!l1^YkPCL@X
zfs!fWbvh9tK5H`}L?K-|ND%>G97$;$3?u?a(FlH#B@#xQ^Kq^eqQt@pqPSgJ<kmL;
za4MP2#*+9PA;ooyWCnAMMIxYal!%hm=8()};SyP=qbQDJNrx?hs}h!?OHzXtCl@C$
zG5RLJW9@XWx|MGPJ;X(X%)*qWJ_RPkVXW~qNgxf5;tESm6Q+~k5cmj%j+9|BD~-?^
zi$(D=#~L`7OhF<bLJ+XCsk9DBw4-Q@EP~Zx%$bO`subs@VyU<o76B9w)K-O-pn`}%
zFu-dhqiK4Q5*N@1@i`JrW;9!?22x3co6Tlvi^>()ie?uJB$$hNV2Aj-LrzNUCK|zk
zF+-xFBTZ<DV*`<N5~C&SxiKJ>!c9>CfisHPl2aX=H1rU_B>D0Mi*(zC7E(<buDOQf
zpvjj297C59Gf+NRN4IB5Gx$UX^(r@2p=#AYS`s}yi*sWo{L?rj0zy3TLDCUore}qN
zMG_iNN=C9Dh>o*UeUO(B7SUJg2lBQO544kf$Oz;v;+|VhzzG(ZM9M@Ok{nS>!_y9w
z#44f|5g;mB=^H>?l1P&zVr-4Cnya)hiu04qh|UCgC;f>l;7=F<;YEU$gPumANzq4?
zszGWKZJQ)*@<t5jNl2jtXU_Q&H6<+)qv)CN;dF~>64(?$*cZyxwhRH79@YfM38B?-
z6;U)cPc|oKQc=*4;uhl&^&;m8Mubf}k&Vzoo+rp;NZsU~q~j~tY785v&O)ZKcoqR^
z9EijhkrsiB5XN!cjz)lzNKGggFzpj4l@OSYaSR{{&TczNi>#f*)FhcggM*WfVDu?s
zuh@&!Rk}S*Oh`!yKwU><cJn1pgJ+>ZBr4GoztQJoNLd)b3?nhIB*%C#x~PP5g1%&i
zB%JH>sgDSzB5aHiL8Y`_-~_wN;zmSZ7;~MDvWwtFaHmkfOzB_KpN(RiM59PLjRXk=
zj#JQ1ASJ{=I)w$G%G%JlSQ>$ZJR-?NS2s~~f`8%=350|RMO46(;wU2_4b7rBj82TI
zk8~ssLYX061xc!c?4!aZfns1%ag%j$dv$h_B9y9B<p^vYm8oW_)d-su5~N{drUc&?
z#eF!1>`IP7g^<PBD{w!8CG{6ZB7)NpsF$=s1L>YDL%8DHm84Cnz2Hf5Ct4EsUP+*h
zQ>0;MGEyKhDhMe^QA~mooPVn972=%0AXGp&HHY$=J_JC8ga8S0h)DFR&W@9pq#DLz
zuna<rZYH~Nu0#iFy)2A6%_KFc!?0&5PT)&{5brPs6hd7k#hWsSKH?p&2`H&fsw7GU
zb++g$ErA9yuu!~BH&eDzU`QEBq#}zs%^8V~5>g4ll<E#U_*I6}B?3~ZVhxi1`lz!+
zPMnAnQLd7HRI_q21P$%vWa6i$M20BTQeq~=yEKNO&PL-Xm&k*sQNrrz*hhZD>d-OP
zBScaV%GsnJm}D>_c9N!6SKiYH4e%oc4V4JV9QAYd3R0~UbwFWmC`j2Vp^sru6!kFB
zNW-rRTzxWzL)PguN=s575b;!p32G0j1+<ueMc0H0&%|7*S&4O|Wgzw01OhQ7M1Y(q
zla)lI!WIvuJFJ^Ps}f8fr;*giy+kw_OhvSn(15W^6r&Q)&~ZkUypoIYCW0hsHJ&17
z3HC~4B*{ohE*Tu^f~yY)WK1EoD?te%Awxx<l+hW{A>>PWqV+5FVUz@+2A`M_1)w^c
z^nd~&nT#f8tBS}zKv5)mK(Z1%h=xK4(!p|ZungkB{nRM3kEAUg347Qo&cm=ypk;7D
zM5I`kV2dH^vL0I}<P*P=<O3NfX_fI^`~YX7<dcF*8yXCfwGaR?ff7SXQH712Gw7y@
zBaISXp+_|{P9TdA>WG0vJP6m#j7}g%0v;laqXyMXCsKf>=#f(~OAUfiiua?Q2o{W+
zIA_Z!S>iL*tW;#GEbU{MriOYVQgSURM)?iR5GS=GE=HwAPtqlW5BV*11BD0KPz_9_
zndpl#Kmrzmg7w)5ifV%1poHT(FZ2-yaU*KC6vcv!i*#&FO3g`WECVUBqf-rVwv_cm
zdei`uL}bOKbVl_@$%rqYO&2=}NosHzVQ>WDDut|M$VxVogn*c+U9{q{N0JBXB)`f~
zl?bGmL}b+DBtSwr!*Xg*)l9uf93}uDLXrhaQ_VP71TR5bYK)D6Ni%U69Uv-P5|3n}
zKzSc}MNUYZ-=r={f9h;zB?#%rRK|odqEq&Y$<UR=Z2nI)Q3KRI*uoSLopd0hElr5@
z#z=&GfcHrOtg4hgNoklpb4LtWr6$o)ie~Ck!laC*s3{Q;gshZ6Om?Aop!&pivdS9p
zMh=j)MW|BDsY0Po)#ezo6gos!YHOt$84FO8Fl|DD=R1K<@d%438&{R8OYBJ5CBscj
z8iSV-hY>K<mpYr|&s+qdn0gma=9p?mDHt{qp#n+cIjU6ZqkKf}L`1R_gg~waA&$UW
z1a#^*v40h&NNiLA)Dd_GPA=vx*pj3r=+iA`MZ!}9ZJJREH5_!KQvug!OW~2AL}MI<
zl{25AxI{)$M-xSfOfs*LR9%V_$dnuvhJ;L~kY0&z5|J==teIMp7^ny#p^yS3^+}u&
zhG^zw86ZMB(qoXu5p^=Y$!G)VVL(hwU{$&q6JvZOBBC(HT7|ro6z!7QPzhG323-2&
zv{bOFVkGbr2$c8`G~7t4L<EF(oLrqP(_oVPh*d;2+|_ATvtfjCu7WM>O`lEYjEqvy
zCwU>J10!}o^k*szYA`@*HZ49(7t<lyOG1dFBh3wyc0@WVKomhHr{GlBG9IUZ#mg8%
zOODp^lhKS6UPM^zo}sq#R4huoRPsAfN_f+BBQk0iDM+9xN!h9CCNRJqW<vBwlTMe|
zFtwqW8exazfG<MHN|mx8PQnkK?Tqai)Bu52h#@3J8N&(L(oA6GYAKwh+EAL55{0yZ
z>akjAazX}V5ZWo5($oUX+#zoTLe`)w9GKJ5v7R^RlR}iyGVy|7f@mo&)Y*)GsOu<d
zC99IPRLRZRBpVqpNw17E997aR<^UTw7RHLu6i9}kL+p|iN6sfCDM?9Zl()!4MxsnZ
zsM56$3r&#u2v6iK^n+0VvVt5=f*{*4*kamPd!)#QfeA^4SWZ30Kvp^wV3}WJ3?)M+
zj7peUNsWgDWe^DGI72EX+mp)uoH6d_h=}Fm+^I^O`4;njj=tmd(T!J@k9aBfg%)`3
z3(5VQ*r&m{_?P;gw%mGfaE{&dWFO8O*X(`5-4`FqDP8VsU(u9fat~TC|J#E3P2XM3
zHGB8G@yDyac@enF?f12>XeP$5Xu6mSex-T!@_WTUTIpO4?#1xyxv#CUgtpZdoa!wm
zjzinULR&YSv%t9tp5^1n?Z#E_HgWc7xoLV<L(lc@{WML_2^-fR7aj_qux;Cxq3B?A
z>7w<m=2)#>zCf)tSr>j`zELiOUvlPY&HR~()TV74cgkn!q7ztNwl1u08OqK)>!gxj
zx@d!5P&jZ(sXE#mTNl<%Rc=3WOJ^N78cP!c`3lc<E?u;Ak%(f_B8tJEnk;xk@p|*t
zVn?J;{qIodO2i-^M-;E!w7v%pw-z7S-4;bl)a=S23@hQyCwI8n#%mJSg}Ifkwx)oS
zq4OHG>hr^ev3#9P=8igj+lvM=ozp$cYbIX~aehD9^bwOdM^CTEZsgAJJsm%}LWpaL
zu-^CEAkM&^9ylxPIA5{gEPcI+;|Tp8?C%Xep||O|$AWYE^(KzP*Bg5A^*0O7C!S~G
z81$_0-e2y>C%!i*pIzTJaXj?g+fB|d{&O%MU77XaT)k%R8$NQuFR{07@n}+xxv}E|
z7R<`qOiXyZ`tlRM`2%o&)g>NHVhfWl=51j5?do%1HZk{TI)4T358>Avj}(^J)mJPy
z&)8w&IJEsxXzPY^=wFDv@GKw432*NAIiW$1#G?<jolwzp{KjqJp<K0AEHxgtptKe~
zGVmZDhmXWjbGpgn!t;Fo(U$AT-$J1euhJilv+4tD&+malP+ECiTOK<_*V7%8sBMxG
zd@t<RLhfI8VSlsM%vbu?Mc4Ls_T5xJNAl%Lso1|RvU_d6cN2&Hb^WX%ZLnK;qm-`~
z#`@RxD~$=*shKm&xl;0kt&MWA^rDkbtesy!zPw(J$ZBb>+)`<casg|AtBr|Ty}cO)
zhp6ucBm5U#N5vcABuOpacACl)z6R$(Q(BX9G5KX;EFb60;a0g)%#Gz6V;n2wi_E$W
z3ud!9;Xe27g;FVu<Mmpl)aYM#PX9O@mg=;~5)l5d!wAbE`p-p7rDl^~oOPiq7Y~D`
zXb_#q#&cW=faZyO6Ur{^=UD-e`iD+uVRd6@yi_byhK{RERx9k*(HMfMux4q<03Psi
zJESl~UP{CV1J$o|ElX~NHhDJ@v?&faAhPo`H%f&T8&B<$Yufs>9T$<+ca#fC3=U@J
zV!2u^9G<Avu)_=cC-cn$E0g3at43QT^(>p{iV-o2kSE*t6_f7{*hqONhPoT1ofE7X
zkt?gUW_d*Rk|JTt??%NrkT0m`)ue5_RxPvLD!Np^^ls6)VreAbsx*~)%RD1NU&44}
z-O!M1Q&lbuOioS?I@%a4)P`8RUurgnhAT~mzLC<%a3)eH<%f%jw5ziL6jVDR7I{wW
zxr2=zqsN?o6udybEXe|X=YXObc53|cQr_UCe3PxD$HrZi$YUkBO1TP`ZMu8}jk1YA
zX{b~k(!fKgsm|p?<!Z6Cb8xIVUJ=pp1{EMSS4-jANO)JRRS#>yH^R=-MWtf6IaY3j
zy#x(%CHryI&`$rFcq*Stj0lzxMax+OTaa@2RIlvelD!3nmGrGA>~{XG?XM}B^RzF!
z(~Pl;7XHVc_<YH+oj7}q5S1_iJW7X>P5DB2^VaZLA|nYy2r`q(r4sz^M1?5vBs!Rq
zb9NBV^1QiJb`_ERg==*X6C7ac1HEN~aR6&_ev5VNo2oLQk^y~YZT~oU+d=JL2kVUz
zK<Dj1&lmPjbk6ZmIG7oX<kB%AdtB|FBWjr_RZlwZ<Zvo6@WOI4ycJ25>ftjs>61Da
z$C88T*uZc!=^m&Sm2TEw(5i&D?jnSZH`azvtQJIZYBe(t=!};PnaWxdW*B6Mn}qn1
zB6X~kpWv)An;TX2^RfNw7!b>ShGdFRAcx2EJH1C`O$@{TEQfhqD`!PuLXNo>&j}_5
z$}N`JETY*J8)1$Xc;vJqs~VLC&*^8`*r}yS7-RtA*!re?ef!o)1{@NwVTtFaauQ$A
z_&J<bEQL4VR3)z2RBGlM_@8{=;Jl_4%ilnTYlOEt2k0TZu~@1a4O?3TwH>v3yK%#&
zt>Mj;V)*z{Rl038h%B<_1rM+jB8oY^!84T9hR+ioCu+*Zp^5m}DycZCBB3Hx48{`*
zjZg<qWdc(Sc_Bdk#TzTdPmt6|tzIbUO~eGv20_|a2>kT|3`FJf5`j3^V4PFTIV<5k
zFpUCZIYOsHiwlJP%Rn!u26}Lo9OsMxwB9*L2YDM=F_$sRwJMBx2+`5sAp_e|{P5S?
zDT6u~a-7(6Z5Jl!ehN&eI9V=qhjWQxve*Y0k4R|uQm7<8nXj|uTX#TL$Wx=wDbKoS
zKJ7?~zg{|A(_z`Cs!ts49F(9;L#ow{Lf~M`h{t$%!9zPY>T;zEsl>J^>C{{KOvSVu
zfep7Rs_?K`vug)FqfClT$}0WFSk2pO7Y3%HbO4P~Y?x>B*}GqF&?T|&oRLx{vTj}U
zT(`(R$NR%qf}cwY<SpR5P@)47EYr!7Ba9RXV;4#Z=2nTly2c$bf2V8x!_&1i?5k^i
zkz@}_G<l3QS5dQ0o`fXxoJ?3M&!1q}QLak#Z;wRURaYmQdW&l4V-#Abm({yO2xJ?*
zW1jFvDox6%Vpvr?Qq&WWWt>FXaOx9T?Q9h7gQ_|mJWDQduGkHq<F#T-4?5bk5my;(
z42;%m+X0;-fhVeq!tEl4>Mh?4^S~w*9YA4598^@*Mz~oEH<-<8hE)x?FQPRqg90(A
zyEvY&F8yoUG*@_4!$4`LN_J9oPnqshTC626g*%rv!jcz9^#gBVl33V~{XWI4wKmuR
z97J1^gCVO6-Eddiv1{ryBLdD3JN8i>ogRuc6@wbQ3#H>M$9GDXDcZ#*=Zfj3)}@5i
z`<kRK6i?*KRqR_5-V`ZbUk$VG-LAFaMt-Ce#?QhdjK)3mi><YY{0CqhE;WN&9I}E`
zPn7BunDQo$sgt~=eN9;VbC{sp2p94b`Qb9YwoANDRW4z&ZM}?B3SaV_Lt~{zsog$|
zT}_k<<&j;uUbt8*v?Rfa_<Bc|4%vepYJ%L=OS*uXvNpDjmBOd#iwxe@Z#hxL5(iK}
zV8pW<4x8|sXXwaCK8y#qCYVPlb-3ZA@C0M>(*G~+`hB7ZqOe$b#wgbq8bb_~3VWVJ
zv>`THkU)%ofVrH?!E$#%;ErEQWkPJUptaIinix$aM`D8%#%N(e1IEJQI%%-8Ac61A
z%+9?xJG(X}l3X!A_PaN4-<z5DJ!Vctl$o=p4qMH)1V)m0T$n%g1Vx)BJN4;_-YmtS
z?(ypj*j?KlFqRBhVuM$abZ!}I2?AyvlCh_W7vo(qL5;&Bc@-SFD$4WC2fRFmoj)(v
zW)@*TxayHt&LM1BaB9@j!ejySz#l<OE6X&^^A3%<u+Ga(=*E2UeTu`05MBdu=@Ovt
zE=l526S>jU+DLm81n3}3SP*f!L^xwdNt`Pq88~@A&NC0r;R}hQ3F`Lf)7MeeA!MyQ
z&pkMWj}pg>tC}^g4<4Ma4<(L}M<y(+Jik3SUtUTaCeK)!o_BLyiG#tjuAbNX4st8S
zbKtbo5*87)#mR-6r<0i54w;WJuIIM;Zv!_iff~UUq8RfYFkQQ<SDf)`IlF;N2MKw?
zLSd0z)jT-wlL;)6?GDM7hSLJhPmGy9hUovX(U&0)B`m&Kf?mm^6BdRYFM#r>H6{x|
zhgcjS_ITjhEh1fTbNlf1|CiU;^Qi4qQ4ZI<Qc_zBYTIFMZPowkY}bj4&=-BQ+D=}0
z^C<(Tr?`Vdn&yP+lT|W_f1TIBKS1fU#$WOj*r(uk2C$i59tY`1lo7ocFf&cWUy7^)
zHKi_8D$P{l6bXXvP942Z)}ZbvAx1H*mqF|(t_1ja#I&#)+~!L>BbF=M5Bv>rY$3>!
z6{o&AjYuM#n1*x=;}HUiWmI`ui5Rt_(~3uc;I^ueN3?;^tJK1Y$wo=V<*JqXDb8)N
z3~}%vI%!rQrd|OdhE$@3gW|68yt#u4^yk$81YhTGNUbMr7>w)py?>;^>}$Vo<+g$V
zhWD8n9vRFk`Tei%Bu>w422S3Ob2*>Hd3#>sXh#SFIKrmm2v(jO9-K3GC5{=_X4beK
cdvLa$qw_+Zyl_k_&vy?_?@+2d1)rXe0h`dyi2wiq

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_select.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_select.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3181a4b938f213136b9f6535f89f92f5cbc6e2ac
GIT binary patch
literal 316
zcmca|c+)~A1{MYcfUrN^$PfRd%FB=ilmKBSAa-S7NHbsMz~I2fz);V?zzD);J}L(>
zWmFq-9*ut3AfdhcUldS~k%KF^(Edws!Oaq&X@A*)dNqMqB-qu*)j32#OTjJ3-&diu
zIJKzQnt{;-D3!v%!N6*!mmz=PJILmy2wsL+Kw%Ju+B~hW8P#UxpfevqwgPQWZjdmD
z{?`Sw*?|FMdkfHJ4xs)>s2Pkvnwfzsw=z4mvbZ2IIhBDG>;eXM5EY-9!obPEnwFQC
io65k;z?uVP0L=vI1NwsPB8bk)&&UJPti`#RB^dzn4@leq

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_select_via_index.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_select_via_index.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..48600359852d21292d520d70617e80d46a6ddf36
GIT binary patch
literal 338
zcmca|c+)~A1{MYcfUu=*=7%r6%E-_FlmKBSAa-S7s9FBmfx&@|fuWv(ff0nyd{ho%
z%BYLtJen%sAfa9OuK*~>$iWp{cvCXCaFQzv10x$dP_I1@YX!UdxH^X@Xeqb_`THuA
z7N-^!D};Nv2DvKa<R#{&D%dKh7w2Y{WT;y+Fq!~0q%d$Wu$t**m7RMAa?eBuCWcu+
zVGxG8XPSNos(X}!&U^&91?Z+l4H5>9|GMDrF#)-$1?V0Qp#Dgx8H_-hnSm>}GCQ@h
zxF9h(m4OxPE(UfG6`z^Hz{$Xx267z(F9R#snLq~6Odtk^6x&4*ot2-F2c%iSjt2lB
C`b+}=

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/cassandra_trace_err.pcap b/packages/endace/_dev/deploy/docker/pcaps/cassandra_trace_err.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8d006781352516aa49eeec2ebffc10020c52e795
GIT binary patch
literal 285
zcmca|c+)~A1{MYcfUsRYEDFEL#Ke#flmKBSAa-S7$bKs3z~I2fz);V?zzD+Ef|Y}k
zQ|Gka+b>buAfeCvFCHk!$ibz@vVcjCr6`MqiBXsxs8<h&C0&C20~EYnBZC7Rom~}j
zE3;E8iwhEyQ>_^oO@Q(#3>*xsmX`lkPdoy$UOkqHp$sSt!eHx}7>WX~qgt;VbS)TU
zHP8ur8YB!_{-wdK7Y8|^g@I8RsGY%-fkBypLEkwsFE77DA*Cq4Kp`(bPa(A;v$!NP
PFI@rV5(RaHtJL)XYQ03Z

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dhcp.pcap b/packages/endace/_dev/deploy/docker/pcaps/dhcp.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a42d6102e8a27868cf17b3da7a31af47d3140f5f
GIT binary patch
literal 1400
zcmca|c+)~A1{MYw`2U}Qff2~*h}-PQdxM3+3djNB|6stt-Ng9EiG#tFfl+6L83V&F
zLGf;oPLL#n3xhMGM5H_;BO6e}Ru&|V0l@k(M2D<Ea#L`!DI=pTJ0m1yjKBeD&cevd
zrUeX0FaU+5$xRl9FkmQxFhnH-N6Ffcv%w+h!Q#rm&>+aba9{-kBM@^jI5W5~nkX4F
zp@k$!4x|Qb?63?;CPo%eO0oh5BRhvRkmT_*29kUNW-K6&!-5nNuqY%bl;^x;#g|^q
z!RfUNqz#c?=kJB4S2+~pV4PtY%FIaV6_lnRfeTBuppd-wiWOgab;Fik@85=|S9nN*
a%!UOdG}XhoL!AN1`K-87DkL4_Nv{BdC3Zjn

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_additional.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_additional.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0e8962e9a3e317bd2e88f6c4051c99e2e50729d8
GIT binary patch
literal 350
zcmca|c+)~A1{MYw`2U}Qff2~bx^pjd?lWEn7a$viRZ<0?tjk{#m+)$>B?p5m1A|$C
z5(9&S;F`Y&R=jfoV#eFQ8B7_JHrzay3DgfV0ti?$QZtKFnNm_gB8(t2vwrh3JOavq
zFvK*7$zU_D?4AHJGvOo1Jdn8zra)5<^c_2w+1LOwfq|8Q5!K8CJYaDKmU0G`gUJ&D
zfP5yP2m|9W1|g=rVxEHh0^N+nyuAFf)S?4INV2Rz*#kUC0(?LLj)I)h;+)L9R1~FR
k%z4E|C?+xIrIs)t>17A%Wh_3BaUcZZ8df2YYbL4!0F@<Tp#T5?

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_google_com.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_google_com.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..15aea7e9776e03cfd941e55f5c8a8d070517af94
GIT binary patch
literal 452
zcmca|c+)~A1{MYw`2U}Qff2~re)wMK+x?sjZa_8&tE37(S(m>gF5%T$OAZEC1_lem
zL<R;2!Pk2Zta#@F#Eft6GMF-`L|A*U1NDQ900Or3{QUHsROaOTT#y(e$W-TzTnuhN
zc@Tz}2QeFDDx<}g#UNADt3W1#OlB~BdzVq=!!-}~#s;7X0@zGFzymTHC{xG4Vt38%
yCmR0-8vi~T|1lc>HX8o|8vhj<{{tHTD;obJ8vi#M{|XxaDH{JB8vhv@{}up^vvLst

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_mx.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..958f38e1349b1eec7a090d6fc6f675a1d6652b9a
GIT binary patch
literal 532
zcmca|c+)~A1{MYw`2U}Qff2}gb^Kna$zKKrHy|5?RZ<0?tjk{#m+)$>B?p5m1B1oB
zA_fKr!MN22R=jfoV#c#o45kb!=KeST0QG~600Q>ZoW$ai%w(qId<F)721bynDLjk}
zE<kw@hL{I28)Pb@+1414scDBnCW1_6Fg;tvsHC5J^G{;~&{S5CQ_)R5zymTHXsHN;
z7y~0~VsSxk1!E3ddVYR-PAYS9el7!&3Qh(tmc*PA;{#flf+lE!tRR(!*aVHhf=obL
znHIfZ5NFRT)-^P=Fy>4wFHQlmEt&I+(m~e3lt_Y<7#SFt!<3j>00V`oG#gow5GzoT
znHfxpfyDt!BqPMwfU*|GrZ8y}1LnNc5{9?HFx?o$!r%l9ZxBWgQwEdostyc>Z27Bu
pE-yC%hiSlBEwj6wzLjojw;Kc*HZ0i#3_C^+uDaL+Npt;G?*YF*j-vno

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_not_found.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_not_found.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..07dc1169e4dd3635f9dfede56776559dc930a0c3
GIT binary patch
literal 297
zcmca|c+)~A1{MYw`2U}Qff2}&Idv~|_fi%HKOh@~RZ<0?tjk{#m+)$>B?p5m1A{~7
zDIg(e`0T)ncP<=2@b?dcDT9ta8`DalevlDBz@C?1l98F0&Yqf+SX`2s%#@rDl4As!
zE||{Buo$QYgdyfa>;RiSwZDvk!C27ZDad4y4GgA0^Ba4_nN~J7gG~q8fXnm)A`EOG
zHOy`dp6q$Wx`u`p#+-@e#VH`RC3AjJI)fmTn~`5!k_&WNY7tvvZemq_9&>VjF39CT
R?J^2LBU%`QN`bt<1^@u{PY(b9

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_ns.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_ns.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c4b1761c474665afb35832432f3e2a98fa09be0a
GIT binary patch
literal 1479
zcmb8vTS!xJ7y$5Z)7{j-88s`aCDInocG2k!s^L;9(@tT%gymS%t`6Nr)|OjE7itgg
zA)ms?5`wACB3zNf*h>Zr6saCE2zm&KdI_u;t?%=+(`X^vfj^wFk00OpF8{gM!#jM)
zht!iy0`Txh=Zp7;nkPh1kMDHKt<sNUwtGk07e?#E&;U@qW!MNt;VbFX{V%&te5+8!
z!@vZ!-U^wwC+e3LL+O5$c;bRuU6IVB+<2J8iRU7yL5)s^s2tLgcqKsM%y`fq_W&~}
zw}peg#|lO&ha>0Nyp~s5L!``=a7qxEmc;{`2UU-rkuv!<8^zj3N^B>mIDyfcK1>db
zy)lxaF3d(bxQCS24o<NHv$Fp7)kfXtd{SN}SS7M-T}Dbs@rF3X0nCO-qJ6Nb(nrd4
zX*SAYloU;pQ(VA|Hg5_I@0DF7rCgtlvTvzJ@Ba444a{uWE!W!XTW^r^eK)IY?-O&g
z!%hv`Z+3RN3yrW%7zokaP(HxK!!$QIKPrDQl*!fX?3k2_R+=B0ofSVN-0WnCN&q8h
zgoY^1%^%T0^}#xsnPLch3b1*p6FDkQ>Ns{jii)SDpH;NWDt85x%gsnyE^ew1)~Oej
ze%X_3l>dB@i+Y7U8=+iGPgzCvE5|Pi(k9?WC`g%aW0iSHL2lLc&{pDhj+5fyv&!Xl
zIVyJA1l)*gs9aib19W4j2fj+65pM`O8MlO?aR*jL>O4nX7UMH306mm9tnX;TdyB3v
zd_>kWX1n90g>SI|@PS9F`bPoG;D2;7<|lS)44_Kd<|A=we)Q-*h)#DjUGSs2bV2^B
zP8E?2(0UAHqAq)-R%@t|n0xKV>Afz`*3$`TA!{f^r_t1=Li7eqkMBI49<)k;K{Yk0
b5RD<vVmq52uv&-#hAMq3qFR&JWp%)B4;<Q`

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_tcp_axfr.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_tcp_axfr.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0291cbf166d4a79a659a1fc599495abee3c0113f
GIT binary patch
literal 915
zcmbu8Pe@cz7{$+hb2ZVXo>Qp{T{}Y1P`s&yR2$m~FHCch3_}emq`qdJ)^bqVyQ@t>
zo5)>A%Y?+Gn<8CA6wOkdkv2o&1h@0uc@yZwY`XBxAMX8r-#O>Lx4pUc(t$=}83QQ(
zc~L$yetAmcDt}9LVDQS93O}D-8|lCZkiy<|6x*wxl~N8%=>)uwzczY=6gY=J%AWv7
zx4q?#BedWs&2s8Yp~Y{3w4p#qTn;>)$W&jyBe6F~7*iS$TI^Yawwuuy<|L^mZAt7~
zZQq3?xJX+siR->wTX8*6i6>@El)cJoaJ;Q1)(w;`YvZ4+zS>ILG+X-xXM^LH&V|`R
z?C$(5@EdB>&UkZAqsBd{Mv8ykSK{O1KDj1Zxf<@*>E84EOzHUtwr%oEku&UN9i8$1
zB-&;ADHj*wVLm%EH#2wtVk&hhK<D&)A)L(?!d#vV#8}MCnS{Dolm@msQS0erttTGk
z9?(UOM^tn~i@g7sCUNfsEw8R(<NhWw$gt?@yi9d<$?rbga_s}A&epFk|4<`MOHxg-
zCgT$l>(HWbxT08Bml$i>cTK5_U83k`*phPFQWolvW0Y=F>f|dUl=F{U`Z}<_zKRYZ
TMZVJXwd}j}b&g_yJ7(+;z{TAd

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_txt.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_txt.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e9916bdb02b5ba5e090b102ceefaeab310779fd0
GIT binary patch
literal 757
zcmca|c+)~A1{MYw`2U}Qff2}YIC(GhK{_9U8;}jcDyf1`*5xmWOL(=`l7qpOfx*Ij
z4N#R}3(tWS?_4;5;KM=&QwEh%X7SxX{U9TNfIT%QvA85NnJGD+fkA+Q(Gh5Bgbo9P
zK2RQnA?88M2ARsJc(I*<!Bp^zJIF+k$qc3+7Bcegs}tYd*Z?$@37e@0ctB<YE!Af5
z@=VXkPfE-w&P>nKP07zq%*@j*OD)Pw%S=uz$;{8Q%`qy^vGDd!Nr`f+^!9SAjQ4Xl
zj0$y233qYz3^Gm$F?P>3@;8XLEDuI9wY{y(wzwe8P$4rfIj1xw)hZsy(@W3KPtQr!
zOU}=Qix-y`6yz6`=vAfWrKA>TqsRf>l7n3$y9DIW92C{XsYO6{7whFF7nkYfrIskz
zC+6gUg3o;xAA=Jx6hIg~_!vw+S2Hk}v$6ZEJ*49c4!(f1X3MR)r^?jVA8in1jJt9T
z7)*>DTpNNTFPa<foB=Yi9LYqCXg2xG?ZDu`wr@AcG?1xh%@_herU6Zz)*v9jr&s_n
z(cCo78)T|8(8POBIpA)@G;wko$V9nBtR@Ny@JTDcOiY;tGtu`xC)`9#Uw@ws@-?##
any;q;-Fd7*fH6+#EX>ylSIkXQW&r@0TJI46

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/dns_udp_edns_ds.pcap b/packages/endace/_dev/deploy/docker/pcaps/dns_udp_edns_ds.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7e16154ea33ac3a42d502ba6605cdceff76d52a3
GIT binary patch
literal 461
zcmca|c+)~A1{MYw`2U}Qff2}=?EgPt=0rvYe;^x#876QGO+3gTb6~RZZw>}m1_sA-
zQ49<Yg6U7z2rwS^27;5D7)%*-UDj~-0`-H80Fo@3sU>O5`9<jr4B8+uO#z^20}z9Z
zKQW()!3`(~!VrTYmVk_Bv;Z2;U@XYw0Wun71%v6yO^hnh7Tmp!3xGy31NER8e}D&K
z38OND$|fOJru0A8AMAW!mdyEi+jsZe|C42d)ZQL7>AAswLyJT9&$o9->Lq~c887_(
zIql+lowIvSI&IL|pld!&^AR^tjULG1Kr^Q^XtOghFa|aR3ZG>O_`zSY*beM7Zj)l!
z`r8J#_az>aTO8o29@-(k*mnO)pL_jVL!8=vEczTYQOVjZ)ZpmqrIrtG@7Z``&5^L)
zt*gQh?dta`G|<T`S@tZy{Bm1;qkT#3!EM`)KHaYMr0Mxy$(T283?4tC3=VUt1lPTJ
m+j!-|mHPM6g6f)EE^*u1SGO;{Xue!p{8%tBRQVS`LKOg1=9)MF

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_10_connection_close.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_10_connection_close.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..52291053c2beb8a987e291849e4c9ba69a0d8dab
GIT binary patch
literal 23972
zcmai+1zZ(r8^s3@1H?`g9lKDuckUExVPT-6V2g@aD2gK3fh`6$Dz0LHiGhlRf!&>~
zVh47&!gtOf?tZ(jyT9L@Z<p_$_rCM|-*@KD;kjHquxY8akV(k+CoN47`r|*`W}Wul
z-NZrgz`yel1e;7kX5(KVS%rFnP_18TEumKC6A7aP!HUQ1Z^diPw@MknS1qw#vnJI=
z5Uew$UCCsf)lOJ4e;R*oWn+_tV<-Q|*n+^ZtL@AfyLheH-^MmuJr3gsFUj+hu`zze
z*sm~lUAz~MpUm6RFU^?u{*1A|&pR07j}Ogd)he|-=4thP&KQ^T?cdZv*pAV7{AA2k
z{f+saX!6rB3t`OP|9?#PdfsAH-+um8y9W6W>=rbjs@TBW+q0^vipjyQ<$!KMmEC%D
z>l^GU`h^4qR8^};aupW`y9R*+@S}i0Ki`0!{8!Dz1wVE3^Xt|RKd)G|BK{*JxMyIH
z|4`px|G>VkVx7P~{e1fl5iu(MKb%K6&f{0LF=b_K?EhZ(@u+*szt!fg&#%`>%36-;
zog<?*8~pQYp^^Q{u#!JnC*k~g21|#IzaCro+d9dwZSZ%hR{ajfFZ+{q5{`8ko-uYY
zjQy)xq{JHY&i}W0m&N#Z|5giQT-LYFf6O;!oiS$ipN`3Of<5zn?HOaD6j?K!FHn_Z
zd;Q0JWBPFHdEOagf3L+|)S}A2&3A&Y1NX9V{A69rF@23OTl{oP&bPw<&)16+jmDtA
zEbMxt2zfIG{k|Zops@G;ZK9dGI|zlX1mpPUM6I%=Y~Yw))qgrBC;ILGCtAS9N;r%0
zPTE+VtS3I%_OYMC>5{D`ouBl&cD*iE6TPz*c>jD-!nxLGitH4Gc8U2C?F3!Wgh|50
z#GHw?f-H<n%#)Z^C?MobbV#%j>=N@PW)mdAEJO+mP|doDITAAoRfPz_Eirdumc;Cd
z)`Bgrv-yQQLN+0vkQ>*~%z}-OhAA`@?1fA=f|a#kCs;5-4gsf%pJf*c;k9;nkAlXl
zv%r@hW7uMhyn>Zr4S!A{7se_Df;q8nSp4o|9RxpH!8ra|C|j?XKo)A2lu@YftK?p2
zWPh8`LRKAZ8vH2K4DJ>d%GFvB6dS9yV^U95Y3JC*YPL<Q@a>+jJVrVWPMRAWRkPI6
zq!hoAZv~V{$bnPBNo7n4cI!lY!Frcqy+g3x>N3W9lgk*Z$R#$`R@T<pgzc^6Pi4yw
zb9ZsboUP)71`|FwSXtTI3NE=#Iq@T#mYHnwW)A5R(l<E7rC31+lf^|gt7aD$)#TEy
zpo5wJY5D%2KeLRnD*4xet!xFGF;+PROu){1jFpwJw@;_4ueEFuAFuZvIoxrIf5m~j
zX1`1B^!7%LNws&mzPjjGyzGICwe9K@oE+HuMpVhmCr%u9_ny8xCOY9jd&&Mzror!S
z9qF9w;<LpEFYQar)jL8+2%NakrO>_BJz{LsQcH?&cDmWgr_QbAU-w+^mbFUOY+h@3
z&0SH}`@;G!mpfm{KFGO8-s7oFwB#{$ch7sZwpcm;Iw$AN_)<C`E-Gw~joYarU+?9~
zI{n@Gy`_s>8nfllu=m=u)Nkw0T=G;Cu7tmSc6>^^5vw2BSFns*wtQ!^g~P7<Ou5n|
z>PnA+17|kQ*Tf^L(CUt(ZtOX5$o)x;-CI8oIXoj)b{|!E?lj+{-}1i9oVBl0-+9(x
zYqi|L#oi?wYVDLaleLTR*Mflr3T7pYoRqji+#2rM{@}doZQfL`e{E=wQk(4WtR8<q
zHoiuy7F#R7FEKvH#)yeYuUF=%u0PFVU%x<$X<^ITCYhWr+pTXN8!%^t->wfWA8jhw
zBh3Fr{BL^0#Qb$SZ`g9dvwIbJf8NC(=N0h!{oI$3Z7-gLx7qY1^SwWW4q+zyIuGsy
zKXBe~?&9UM)w*Q8Um~T>mcYtG=Z;F*8`$}J__Y$17neM?Yo*u3BEE&2)r;SJKR$PB
z-D_{T&G~)u*1S0R&P{iD><;De9Ct^@6`@H@X07;mrdFNOU3P0(k`u2Cw{O<)_=wmc
zQFT}Ar>-1wkL}&!baMFf<U!>QEzRK&^|VOi-nl22Ivwa@&NsIc7qLTj0qZsN?WAvQ
znl`+4O5C#O-pnjYZz(`?sOOY(_@vE6hqtdB{{GFeQi*k5#<VXqEj*#+)a^dn1<SYL
z1zXoy?o=q?hE&2izG7On+i?|Y70Nwr__&pJL6;{Sv?+WvONF7w=Vnieh+2Er&U2x4
z{R>&EcaQdQi~4=|?y$xs3zyxwc3H;*Egw}Ke1w;Y(8_*IyYC-gWc;SWV>+Hc_<OmF
z&Cl;R8o2gF#3fJbcV*-yjpjeST<f6VQZzz$s?wuXOy)|($Ngs6`Jut?1`CTvf9^bg
z*2Vet2Y;^Yu_OB`pZASc1P>fIbwsWvr<Zn`kn;PDi!DBuo8wsM!s~iVwmx^;)9+c)
zA>p=Zt6fW)v%9)D1U3>rS_wnqyUV413+frtC)cdu>o&cb(y-y%ewpemimkBT$7%HJ
zhz<unUMXkawdSp?Ir?mUT(xlNU0=d(t+ij0@@3R)|2>VT7p(GSaao7GrEXcf6dk*5
z=ztM-JqjQ2A5nMYgC+H%<m+**CXPSf;X>_)_gckXxxPdwwRxCNm0nT{_oNNad~U4h
zQGeU9fE)XceZ6wqHdFigWs5Z4|J(h=ZqqA#b84`q_>TD%*4}!o&OZ3*=CV3l)r#|i
znmUiEdR*v{+@V17QjatFZf0HlVTx<q%-0Dg{T8>W+v~AQ_Zw&0A6x8s_tnbfVv~rP
zwfipo)Vt)R>`$9MuXLr`yJIDeHg251cf_o1PA?;xR=!d%c@wXSnR4K=%S-MdTylST
zzuU-5u6OQ?OK$r8uD^{_wK_JTxolhh<pU=#xidIst%VMP9j>E1{&^V}KBvTSOs_^i
z9kUR|eE#DyK8s^=!V_`{!Wbd6Vds9UytRJUr{{Dm;uR~HEwwfd%RZ$;kAXv6#owF8
z4(Zy-as1S9x5p(*KF_@*M|*SHnqo6ui@Mf0-6X$rr46A+H<s9#t?uC(ZqNG!E9aVD
zTAzGw>oxo5u^#!7?%3yvKOE&-$<EEe-SN<Zp<!MrHH%q#Rd4LFt<pTt8yCG7K6p68
zHXpA#R-BMa^+BO$Lz}m-@!lLZ<3zh1nfF|F>0#F*&y%3g_Qxx3=wfy{x_rUmyfd1V
zNPRRu=j}T+Seft@4nh@Fg~vZDV^u7sA1f2lBcn3uH#k%}vi~vM;CiIx`B9nKsLU)*
zWKAYPSb-lq3rn_J9b4$v<!Io_>Q+iCj}{f}N)Btaw_2Pf?32gd$OmDKXI{&(xm$&}
zMq_Kd-H|QR40oyS*4MY}^DHZI=IN=R(YJc2t5<K#e!?a9-M|v7qfUoz7+Q0qbKBf!
z)IxWQ`B?Qlxod!HN{i1<*^8SJ){fUUNr~Q%56;YXYs&U^9nU75P8mI_&FOK$He!}F
z=YvZvxX_?rkLi8t-ApPyy|Hlm^y-bP-}L=U^*VKLbn8*mQMDba=#|D;N}n{vseS5p
zo4IGoINK6!J09rezw>P_)iTxb?p5!cx%xHtWA(PKbP(2~Zan^3Jz;UmCSzU2WK{3_
zT0Mrf`Yg1Nt$*sQ|Eu2Yf~cOjt@?v0!FfG)v@P`J+L<;_9S5y#w5#v>%j1);Ehsc;
z)a}B2QLRQt!(Y_S^T)i1Dh`Y4OqdiurNQB{UF*07mw0t3w9|<m3B?vijotsX?$pj9
z6MHSKRkQi+^5Y84*b-~A?8A;$RYr{|&e`{gbr2R~-aLLX`|z0l2K)CJv;WTiS!iUC
zME0p;elq(lehXJ#$re)YPM!yI!#tX&jlbU_aaiG5)u%^>-OskQvcTE9Y?@xfx<i)3
zCFYmU{Y|UXq-&+qM+1Z27j`K(!tHLRH(}AQY~QSP8t!;&z@qRsiw@ksz}aS5_aC+1
zY}7hBW47tF4w9Uz)ph^ZT1VInvB?qJ{8jP6ORt9YH$7il!`1Fn>6Nc9_WxL|zx9Pw
zqt+7&-*<hv>7)7Orh|8iWLs{Z?{)dZ?fjZ2kLuogpU<{(iODN+t}8um=9Gb@7oQxE
zJaN!rtIExkwBC(eg`U^nernT}v(LH7K{$;)#^ay0w%QXD#M#e1lrj7CT4UysL5qxi
zw&^FezF^%V<wm2|$9#QGnLBnXkXUBQe69EFf}tJzpNiAWbvt7AR-Kb>_1f*0e{{ut
zKH~$2uZS!2YVR|@rwt07^*U}J{h`R@QESWO4C#5sajvUd<jAEx`qa8nBXV4k7xq!9
zBdQ0R-PY{Bey%`{D`oSW*V-TIe>=`MH0?{c>zbB*Y_{evJmhnYqP{)z3;xdvn=6D5
zu2?a!;n2(4UDx`tU8ee!Yq+RUxicT$e|Y5EI+s(fJ5%l-3kq?}f27fnqGh+qv#)kN
zHuT{`kB;+Z=IY-2VT;0*66SULkgxN@VapaD%iC$4r(>T-TbJFda;K%;h!z2LdbOSV
zbWY|P+2$^*A9C@0HSd*`mw#?xcSP<N)8)a(dAX(Yc3UQ_%(^W;=F_Q^p6f?#dOx6b
zNT!aT10LQgkhNJEkM>Rl184NMJtkE<(=~F}nD~S9YG)cT?10C%{?fBUxoyg~llPz7
zGPAB$d|Q^~9m<6?T5^8g{<g2jmb~e=ep8c)OS~5DzBTsJhN@HIlkN<!dEn;Pg{I~g
z9#-v>HLy*{3ep|1*+B>gS04YQD~wFpVyw*r8Fas|%|%Yt>Yc;d9GM#Q6T16GFC5cE
zNou}7r&q|1{#RENzSgWwttqbEkKA12TWL{B0j^E)^{u&&azx1PF~MQCl6vf)HX~o@
z6Hj%~uWP}%VNu;P1#)&(w*1FFA7JeBw;8ibUwfEYWYEKZ-RI3i9vq)g+^J7!iTsIs
zq63~h-aK;NYNvu#KQ~%C;?aY;J&b)G``X!|d8;lfQaY_`b8_;NY8QuYm~y~>uGgzB
zQAgfRb#3yy$K?x~-biI#LtTgG)*Ef)Y)AgbY*XTmT5igi?e|(fbgEXrl2OZ_U6sOa
z+|KEIJ)(sczS`pBwzSmru+1wMdR<+=;p4m4uZj&XYs_|QZKs4C*`}PBpX>RWq&{b3
z>?eQNI?(yFw@0%!gIcwyJ%7!RDRKK}jrA!~GxF)Fgow(V?VI>tUzK8ljoRMLm~DD(
zG1JHaZbohYyaUX^{WJXz&}ByArZ5}R(;SOklInW(d@(y)i-zGfb4j0M^CZ8<Ii_;9
zwX!5V@EKY2xz()b@NM>w>ZbM5E1%8no0#o`M_~JDL&_bzyQ97kTdLdRLSOO^vU-(i
zcAhOu&-*m8gtZ8N_*HFQ^a*F*a_g^GM#@&B)^QoLPp|a=H`IFW-)ha-&oP!{ffk<Q
z#&*f+c<#t}<%VtQimBSV&cnyt?3KB)$IdScym(a-T;4~ol5U0{pE;s^jU(Uwh+L(X
z-;?Q@xNGE%Go!?iQa!5`=`-zl&WF8@F0{P5;+ECDE@!*#KV};fV$}L|#%#aWdM;|c
z@Net*&)IrL?=*!?+&LxAX7u6KaqTzGwqNWpZNa`<7o5Jm5{fp@YRtA>Q+b@@n)cyo
z<xWkjH|Xt(r`C;n)jE;0xc|~ANgZP!4<8>NoW*td>yLity9POTZfMWhI&Ay(%1GH}
z)OJb6Y`@obA!_@=sO|r+jP%-8cv61!%+aqO`JRkyUfl1VP;g$4K5>pu#gm7cn%5uk
z6pfX!v%uT8DUSo<M|sQ-*Bw3&3EEKIqj5`@#|xKso)@rdbHUE*dxVu4>u+)#UUbpS
zSC7AV4#;|>;GTZlX3Q>E&v(a43uk{Cvwx0j8IPY_(Qd>HG-|yxWA@)`{US6n*w(1^
z`5#xbKWqJJ!^7k+6)wMW4r)KecWjMOkKgQhXWR7Fq3s?~lb_qWxO4WQZrAr*Q}6WH
zSaEvhQOjz0gld(BoH<!1etenGR-@m?d{rXUEd9<^9@BK-{4;w`G(S9e|KjX9Yx`R{
zCg$^)G`&KT{uP54etq<8YpMOm^-lI3GglAG-m&o1%}%EZrgil>IeYcI=55z)yH={4
zr&Vy2?VzSNd+jdvc&Y!6)?Phh6ZSRV;@*a5Ke&00Uq6Fv=h=H_%Q*XVcEPqz)!Y~0
z8D!R9o<SCKU)08!D}B=M5C3|P*kP=PJwF|@5XSuT9<lkyUOTexRjJ0?3wiiFJGbP;
z{qgySzaO2oT7*xi!;1oGHSe|E!itLTx0bE_p<s-?x#`uGZ4(X+YPsvTnxS1Y37_X5
zPfHr<5zN`W=$QUF@LxX*4l;PZ%$Qv|Z=7vpaI?SdEzWMU@y1CVwseUc`#E3HM{b8|
z`+3e9Hozq^<e}EnKKi$}xuUle<%?X3J@=e-t&n$_S^BZ1e|)j^jJZ6)yG*;(Mx~CP
z^0zX7ba373J?~Dxy<r_*joekvvSAu$TfI~IFC_S!_><LXN!e-e$&xYK?|hnp&zryT
zF=op#_hHOp_;kkOpJQ6(NJ%jGIRA7^@JU0g_dRU>vjPttmTgW=@w9fma%ofEh^kqg
zFLbQ`+f9egr5;U>_ZyZhu>u>T$63V|?H*Xhz47eoVKc1zo*ZBDNt={2ndVNr-y$xy
z%Ka_HCOU5Gb;s?}?XymG7EIsJ-LXI^;qJgnPlnW=T)gN^$LPD6d@88@+{4bFm@__M
zi~EGr{`2O9Js<XZZTYBfoi8|B&-SQv<@j}vmepS5jUJLYW`8!Z^fe(oWp(9gORqg0
zIpSTJaNFYD7bcW;7+GVQ$BaG76RX%Ri+<m9<=v!+5~YNKxf5qr4r#Tb_w|;~3cWrM
z^Muvv(D&EXiWzLIm%xl_eP1tcLL);eV7&zXrCM8ltd}p%<Gn}iUw$_(`~1^;D_3_c
zdt+_U+4`W%`Le})P44wApHVI6^|9_{SIGlLdp2~-IqP;v$4Qk>ER1^5E^_kZDL3*y
zE?qPHw9l1*uGQ+t)tNN8lvBS_iJ96&9ru_ttfE)ln`;LazP&0Y$LM1v*MEMr|A=Z;
za@33xZ~vInY<!k`j@O^2c7Fc4U;BpJy-YLj75@Emv31>i=ZRlVwc4AjS4boGP5bMm
zbZEHaV~HD%O}@^q@^qj5>5t-7+m0a%m*0O-qF$-V$?qb)+Ki7|-J$Zj&C7k-eEGCM
zo7Rcd3JXd9<o|D<{!@0bS}lfUR4aYGhE#B>*5DNG1uN4w{a9P9R{FMn(7Qp)D@t_v
zj%|0xd=bkH9_ZP}?AE?`4b61#)#O9*%}_0?&NI6YK6&Ls|9atthhA>8=(Nq%_2vEY
zUd#TlzkRldLvy<1NxLQY@GiLK+b|FJMtir|MqDeD7_se){pS*%y{pEL_AOW;v1ZID
z*KrAR9>nd6(>-3ynQ3R8#nPedn2~{}7M_@QY<k^lE{?7}%XhuAzu!uex~fj8xH+Dp
zZ))ofgTto(vF=6x#<3+juW0miz=b{IZ|r;5e&?Oq!nBg5E9^;fxqfn*|Eb9<{i-IO
z3A9X#No>9QL(sOYM+cPad412JXJ^I@Sasmet1;(Rt#?`w_@G~61Ho$Q@WWf~PKh<I
z>S7n?nG)CTrus1G+T#b2`BRfi$Iidy96IEgUqb86!uBqgT}m%0*U7$N)rwOchwnRE
z<F`>ab6%Y|uwd|r1MbcZY?E6Ic8!R-*<je+)X}wkW_h+u9`~g|&9?Oh&*=0pU+&2j
z;&M$J*=V4j=kc}ABX^ZJ)xawExP9&X8uf{pRj0%Xs}*ipQY-d5wC&=-*K<jC%1~U{
zvHN-a^U7g8GG++r&PmOno4yx7Hge!*?1e!Be#!g&$`SvA?w~iJRrallDcPpZx}4jd
zKC!a2oDpI<wrt<Lhb8s)1(x>$U28F5{gmVeS0BWrHj22u^vaTZC&Ft<wJO%|nenn!
zbe7vG<{Amn4cc4D6{gyxE?wd6yl%->*JB5RQbz>c{#yInA4ej*zlJ}xo0jjv+LG&!
z-g(k>UrPQ~O%tr&xAiV`%DutUtMO*rIS+QsF03_e{Hegv-}4--bg*~qHm%m0nQ#1a
z%{_ls9^0vnaC2>Vk6dG=!xMYYU!aCw+ugd*fd}V$9_s&iLCEcM<rZ$Ys~Pm6cgZ%F
zg6cR|TGPPtF8hXMhjxT+ZZkJvMSZ{0H>xeln|lA@%v&K#re-c>n^e}+cgnySpEp*W
zS#JH<^EGNU30Rgi^S#xOY@aShuRith+?62*PcJw&_7BJ9CQH=2__s?dZD?7d%);(+
zyX9-z)~i@8o4H_6{^fnPSKXSs`bp~}_Zpv%_P!QSKCDuYM^!K7+wSa@_GnSbl&Uw|
zt}QUc>>B_3{tDMmN!yw(Xg%uF(+Ep%$4jqI9JaA7qfJ<nxy$07=ZB4%`OS0k)ubXz
zBFE0j7u;>qN+opS=Jz(+rZ1c}rPztjgHApB>>D%d-r&;%ckeyD`q9zfl6~q=`y-|M
zx_dh}j(r^ddQ+XaDf_=P_FkCx+Y6`X%|C>{%=RdtLS)Box^u<+g*ydW?-wKY|Ix`g
zd)pirw}?xJuD6>x;cETTl|P0T9c;5MPfFiqt(%@r^%I5UhW?jZ|DI{nupKs1lMNjg
zbQq9S<>90j$#X+elLYVTp6dpcarfPDp>O5>!K-XmpF0wDwS#>buFh5C1);A^`ti@z
zY11)fH&>_U9~rAN{n|5dvs1Ok1##_3u=4u9)fvx=u(-3#u&(v{3YY38R7edk+5A&w
z&szca5-<MIsQ1Q{l6NoH#fxl&gSDsLuCj1?6Zau$D~33)|NO0*=bNDe`wx7-xXp)#
zO&-s74f))&ZR~(nEo&{RSF&}~(TG!nX3woKE4XLSz0iU0MtwV-)mhyWZ{@J?VE!#%
zb9!}LFePWZ=qov2e2#y+^{iEB_tIZl<vj8>cbiH#UuK;b61LB4U-#|v!rar|E?azZ
zO`m%O@@H-^{@Bp3`j>On<+f*Eb(~lueB3afh6Scxc3tQY^7hE&Gd&h>Ej`YqT|}d%
zjrSZ8d;4Zv_+fCPPentEp7luGI%nG6N#+l}6>29X`tR>P(az~=o*D6(ORpN*_|n~a
zjh9Ege2{wOWXp$XUnhy4pT}3e(KKy+e*NX#b;{;los&o8NUpPNr)P;)O9QTb>U?QX
zJ2}K=?en7j#d_JIypOMJpJaa`ZD-DgUX@z4E9e*-l`wdR*0Auy=ToXx58L+i)f(@6
zd9Mv$`q`?s6ko^7dwnU}+|NCCe@y6~>&fE1`=|EWVyRO%BKw-%%dcvw9ZvZzdUnP(
zV6}6L%v(A=?Q;F`uFlmTjGTJ0LbuAj5=u_KZMUX*?tYg-o7t~FmgMqT`Pw^A#Xs6U
zJ#)QzbHB&e7IuDrxcZl^!#d6AwCnCi=c(;oqu=iedE&L_x@+9tqi=$T<?i~(Wq$8|
z^X_Hd7B^QNe0t`9y|dq%`mgcpd8F-&yhkTQpA9I{D%LKo#%b+-;b8}U-?plK39oqf
zw638CEMKz(wA_)TT${6e?2wqtQ5`$$)4QaU+V=8!yR=1-S9>Onn%JSn%Q|_B*Dny=
z<J|E(hnKJGT&H=DmCMfPMSIJsN2ktR>oj7}vJnY&avn=<a%s)Fm(~~k_NIOK+`Q`i
z+e=n0iV94*7GLq(gXIoKZX}QHv3`H)q1O_|W}mdUdgFvV1D_l&G+OxdJVkeDQtR!_
zCQ3)|#)XIE?;Y!7{W7r0>v9bP92%{<wqf$Cu30>;oJ%e~^M!5Offb%)m6n%ky>OO)
z^l;~v#SZO=^`CKY%&DNnom2kUY2`aAaKrUOB|a_R(ZI&;LD<kH@AgI~tR6VlCd9_-
zYtN#OYR7*r(s0M32jz40Yx;6Qk@4JprO~Lf9=ngnPj=tpn4#Q#vy(G+U;4cPJ1=rb
zGVTrItY-h%eOqyFNZ);v+u2Snb*EeVizTIe=UW9d>Xztrrcd6Lo@%w2dL5>ndBELQ
zYwx=*O_j$UCETr_IUbPSz0KY>dC~61M+Q{?V2N-jlJK#)5L|w@W#HWE)*h~cZ8@pe
zeWgLnZjW_EBddQ|eRgQu94G6BuAMgdl(SELWlif_UE^MEeP(hIe8S(Kc|U#5kg$Sb
zrzZ3puse6{?w_5CbZp%@q5ke=+gC*&-MeAuw6S?om-lY`q2=sLO>@01A-8QcImc7$
zZ5QV{%&R(h>%1A+-*;bnzkTxss~Sh2detT0)vHH31w44(;DPn)_z=fdLG31XEi|qF
znxun|>z`V5bl?%S_@UP&KA-KFHtj`Jhp6k1vgB&e_jpub`2cCq{##c(r#bs}T#?`z
zdv|oeib^fdTZ{R79X}N|zfigS)h-29tk-R4u7}RktJJ(X!?tPg!$WT)8z!9^ox{|8
zgW5SU|Cr0`T67v-x>dV;Z(kqTwZEU+kmbH3=MA1d!QOXm_`C6S7WiMWZ+Y~$G51&6
zPp$ZE+=AKf)VhD%Y*uyI>*rpjTP93B9*{NH`mtkgUR<`OhkeaIJl~kAn=ilWac;$(
zrYHNq-D>5vM_m?ND7xX-H)Fba?A|x3N42I+@@tP`ugA~ne|b*M;3{5`lHY0h+k{He
z+47sm%~bB08y9l9bf-w<#MPCjM$3*TFEy+mS8rmjzJ+pcZCz|vsZQB<w{p9>y7Yy&
zk5BFiaelVN|CHm5Qw8@W@4vLgX>Pan5zhmpFHU>k^<4Wd=-Qg6b=*QrU;3Q0{EAhj
zuSr9z&3WTrT$#Ll#BW02j_6Fuaej3Ng>2trdH6geym5=_WyAY!>>b&E&w9U9_rN(m
zyD#<{UH7-*!)tW=W|x|;&XU2(#?xZhfmHciz^0Z%`tP<p@^2eB?B2rtC2QU*JAGM|
z$F<G<yG+d9Js`Eo-K&olohtu$$b{nJ2GzB&ZP}i}(de#od~+8+U8(u3W<}aunIE?~
z{`apnr*5l1;pCgsZHxDE)eo<pQ@%yw{hZ@dt%p9X`0a`4StBi~Wyh^8AIz9nafV&T
z)J*HWTGvTan_WpQUBWdbf8I@Ey}bp8*In6Ux_yc3&e<O6qmoDLvzfn3Qw!&IE;6Ip
zx2osj`sArvwnd{-a@3Z56D;1T7gK5qzgH-3-+bbY&}Kqb$8Ey)rIRd!Z(X~WoULC0
zcmD(Pm$ZJKr&4U3<6G`t>-WEYDo)wM-RreFWA~=tJBK7YRcksL_s+9_`3=c#?B1=$
zz4L>RXJEo5q3)u=<-Z+maWdBA5%}VB=O?`{o&FeCKHyd`U*ytyONaV5W%rMF<!40)
zPCOhtrs|NlYpT4xdu`{lQxmM8-|2sMT8=@{{rYz+6aMs0=_~U%+xP!5+n8aTZN$@z
z*`{A>Fw@APDz7zvo9%96wjGkXjagN*)9it_R=&Ad;BCp^CKrocc1v=1D}883R+q;m
zjoF6I=y0Q0?KZa-FFNEMcVbUOyZ0l8x}1nB_`#-9z7wI56>_H@HkYl^rAyM_CFPpe
zy5+{%p8O~XEpbic@y{!xP|uW&v$bE9G28D=i|NgC>_I|%%=b^ttnIY#Eq^W|T3Ezp
zjUDXxCeQFDzxrize=EMpiNuUI`QE*lg6_qLzco+sO?Gq4H=hK-A5-S>lZm%A*%=d`
zoiXP3iANY+f1G%e|C{*ky1v2PTt%;tzRseHNvz+k3(mkKLtJIa)od2sn|P<6OwP~$
zaWdA%$?VN|<G-9t!oQu&FpT-jld(5WW>&_S-%lpt-%iG>TM#-hUB%X3?hVuby{bzU
zlju1Fos@m6nyaW)l=PFC`(GzxW1P&7IP5PcbL-zu#`a74uVUB#oXlcVcH?9`{&q6A
zew@sok*h(wm2VJ!i=W;S>iqqGE7$Am7ueOmZx08%I)QzI(N|j8dq_V34DL2KxN6Vf
zJ^{apem#AI26PLq9unNWvW8aCfPlb3t|Gcrokh=PUeE^h-0C`u%{;vuHf!p|Zc?r*
z5wrj0TFqosWOv5w|E$QGM*mikGaOS)KmNH^MT^OSV?NoEF=jg6HH|VVQmn%Nuhn5C
z2L$^DhYTp`DwZ4&f?nAH14=rJCA<0t`|?LFqDeH1l4ucSQ4v*96LryqADTpySu{za
z$s%H9n-tNciY84o=~(5W86LA}mPE5fG-KT>qFEKqnrPNV$wib*qJ$wOQL>1VEJ}(f
zsiLHbk}g_YZ~~&mEL!l67SSS$7DcqEqD2!ex+uGdvPqQ9qAZCrCM1ipBFd^LYoe@+
zii@b2M8zyBlBifj1@l!zMHLlIRCG~w5ml3@nnhI-Rg0*~qKeZ|MO713UDRAe%_M4O
zQIkZ?B5JazDWZn6)kIAfbr(@LiMm<TB~iDCx-9C7sH>umVz3%02e!G%1qE?IMO;u4
z7u3WBMR7q@Tu>Glyv`^aUdO_*ax5Kd$KtViEFbD;LIF*vpa~^3p@t?D(S$0RP(~B#
zXhI=PsH6#{G@+Iz6w`!inov#?>S;njO{k~|B{iX@XbQxE*P*N?)YXK-nowC2N^3%G
zO(?Dj)it5KCe+u20-I1_6H07CjZG-B2~{?s%qG;?ghHE8X%k9qLaj|Gwh7fXq1-0a
z+k}FfP;nDVZbHpXD7pz%H=*n%)ZK)_n^1WZN^e5#O(?zz)i<I1Ce+^q045MH0f7k&
zOn_hl1rsosz`+C%CXg@zg$XQ7fMEg+6L6TogEtFYZgF4<f`=JA%-~@L4>Nd}!NUw5
zX7Dg$9h<?!3?63iF!L%69%k?`gNK>xnG4!j(Rdx#G#52jHJ3HlH5WE`n8Cvg9%k?`
zgNGSB%-~@L4>Nd}!NUw5=*q-_*MWx_Jj~!>1`jiMn8Cvg9%k?`gNGSB%-~@L4>Nd}
z!NUw5X7DhBhZ#J~;9&+2GkBQ6!weo~@Gygi89dD3VFnK~c$mQh4Wc;kI`A-qhZ#J~
z;9&+2GkBQ6!weo~@Gygi89dD3VFnK~c$mS%3?63iFoTB~Jj~!>1`jiMn8Cvg9%k?`
zgNFnj5_m}9A%TYk9ujy+;30vB1RfH2NZ=uXhXfuHcu3$OfrkVh5_m}9A%TYk9ujy+
z*dG#jNZ=uXhXfuHcu3$O@k+x>4X-uE#RjkA<%ZWAUT}ED;Uxz=B=C^HLjn&8JS6at
zz(WEL2|Oh5kibI%4+%UZ@Q}bm0uKp1B=C^HLjn&8JS6atz(WEL2|Oh5kibI%4+%UZ
z@Q}bm0uKp1B=C^HLjn&8JS6atz(WEL2|Oh5kibI%4+%UZ@Q}bm0uKp1B=C^HLjn&8
zJS6atz(WEL2|Oh5kibI%4+%Uh;9&s|3wT(-!vY>?6vlx|EqGYK!vY=_@UVb~1w1U^
zVF3>dcv!&00v;Cduz&{|jB)U)jn{#P1w1U^VF3>dcv!&00v;Cduz-gJJS^BB7Vxlu
zhXp(=;9&s|3-1BE3Ggn!+kkN&!0UJ?;H`l70^SV3!vY=_@UVb~1w1U^VF3>dcv!&0
z0v;Cduz-gJJS^a00S^m!Sir*q9v1MhfQJP<EZ|`Q4-0r$z{3I_7VxluhXp(=;9&s|
z3wT(-!vY=_@UVb~1w1U^VF3>dcv!&00v;Cduz-gJJS^a00S^m!Sir*q9v1MB!9xZQ
z89Ze0kikO+4;egU@Q}en1`ioLWblx|Lk15SJY?{Y!9xZQ89Ze0kikO+4;egU@IVVV
z4!jOL&>fBguLBPmJY?{Y!9xZQ89Ze0kikO+4;egU@Q}en1`ioLWblx&KV<Nb!9xZQ
z89Ze0kikO+4;egU@Q}en1`ioLWblx|Lk15SJY?{Y!9xZQ89Ze0kikO+4;egU@Q}en
z1`ioLWblx|Lk15SJY?{Y!9xZQ89Ze0kikO+4;egU@Q}en1`ioLWblx|Lk15SJY?{Y
z!9xZQ89Ze0kikO+4+T6F@KC@*0S^T{6!1{MLjey3JQVOyz(WBK1w0h+P{2b04+T6F
z@KC@*0S^T{6!1{MLjey3JQVOyz(WBK1w0h+P{2b04+T6F@KC@*0S^T{6!1{MLjey3
zJQVOyz(WBK1w0h+P{2b04+T6F@KC@*0S^T{6!1{MLjey3JQVOyz(WBK1w0h+P{2b0
z4+T6F@KC@*0S^T{6!1{MLjey3JQVOyz(WBK1w0h+P{2b04+T6F@KC@*0S^T{6!1{M
zLjey3JQVOyz(WBK1w0h+P{2b04+T6F@KC@*0S^^CRPa#2Lj?~NJXG*d!9xWP6+Be%
zz;_;S;C0}kf`<woDtM^ip@N4B9x8a?`w=+!SrD%S4;4IA@KC`+1rHTGRPa#2Lj?~N
zJXG*d!9xWP6+Be%P{Bh54;4IA@KC`+1rHTGRPa#2Lj?~NJXG*d!9xWP6+Be%P{Bh5
z4;4IA@KC`+1rHTGRPa#2Lj?~NJXG*d!9xWP6+Be%P{Bh54;4IA@KC`+1rHTGRPa#2
zLj?~NJXG*d!9xWP6+Be%P{Bh54;4IA@KC`+1rHTGRPa#2Lj?~NJXG*d!9xWPe5(!z
zJ}rZX1|AxCXyBoNhXx)Rcxd3Efrkbj8hB{np@D}69vXOP;Guzs1|AxCXyBoNhXx)R
zcxd3Efrkbj8hB{np@D}69vXOP;Guzs1|AxCXyBoNhXx)Rcxd3Efrkbj8hB{np@D}6
z9vXOP;Guzs1|AxCXyBoNhXx)Rcxd3Efrkbj8hB{np@D}69vXOP;Guzs1|AxCXyBoN
zhXx)Rcxd3Efrkbj8hB{np@D}69vXOP;Guzs1|AxCXyBoNhXx)Rcxd3Efrkbj8hB{n
zp@D}69vXOP;Guzs1|B+i=-{D)hYlV(c<A7vgNF_tI(X>dp@WAG9y)mF;Gu(u4jwvq
z=-{D)hYlV(c<A7vgNF_tI(X>dp@WAG9y)mF;Gu(u4jwvq=-{D)hYlV(c<A7vgNF_t
zI(X>dp@WAG9y)mF;Gu(u4jwvq=-{D)hYlV(c<A7vgNF_tI(X>dp@WAG9y)mF;Gu(u
z4jwvq=-{D)hYlV(c<A7vgNF_tI(X>dp@WAG9y)mF;Gu(u4jwvq=-{D)hYlV(c<A7v
zgNF_tI(X>dp@WAG9y)mF;Gu(u4jwvq=-{D)hYlWi9>jx+3y47QsNw=95In57fC>bU
zEBJ;M1rIDPAcLnzI=}`(2k1cP03Qe)AOxWUjPR^U2Pi@404E3?AO)cVtRQrN7M@J$
z051p~AO@iW%pi1t8iWpT!*eVhAP1oX>>zZ29)u3?gU|tjc<QAC3?X!YB7_cbgwO$!
z5IVpT&&YIuCWH>~gwO$^5IVpVLI<egiJA^@h0p=A5IVpXLI>zV=m1|lf71cN5IVpZ
zLI)^A=m2L39UzUTbvnQrLI-F==m2jB9Uu;&gUrE^0tc#1fde(6z=4@l;K2A4I>;RV
zQ0O4@^hkir(?bC=Pmcx2+z1AYWWb09jBLON2aI&UhzE>(zz7J8gusXhjEukt35=A$
zhzX3Gzz7PAq`-&@jI6*23yieDhzpFozz7VC#K4FQjLg6Y4UE*lhz*R~zz7bE<iLmy
zjO@S&4~+D{h!2eXzz7hG1i^?9j10jD5sVbUh!Kn&!3YwJB*BOhj4Z(j6O1&$h!c!F
z!3Y$LM8Sv@j7-4@6^vBDh!u=n!3Y+NWWk6QjBLRO7mRelh!>1}!3Y?Pgu#dyjEunu
z8H|*{h#8nO00#&%X@Gzrvjzy5Gi`u?Ir9bxm@{zzJ37dmp#y{t?sMi25IV@5(F24I
z?sKLO5IVTe89+ej;67&t0ilEYoG}E14(@X%5fD1K&lyHQ=-@tQ9)Tr92lqK62?!nB
z=S(Faba0<Dn1Im1ea>tGLI?Lb;|T~I+~-UvAarn_Go*mf!F|r00zwD(Iim^)9o*+k
zE3lI3;67(y0ilEYoS6lL4(@Zt77#kP&zW36=-@tQcmbh<`<(d&gbwa=Mi>w}xX+nl
zK<MB;XOID*gZrFW1~wENOfw*GFwcO%!9)WB2Qv)_985K^`{*EZ1{)AM$eh^*gbp%i
zyaAzu%$aaN=pb{391uFloH+-C4l-xd0ilD;B{FB+0ilD;nRr0xAajNu5IV@5xd(&}
zGH3Jwp@Ynse&C8h2bnVffzUzb%s?P?kU3)z2pwe3Bm_bSnKKN5&_U+RLm+gJIU^AW
z9c0c_1VRUyGZ=x;LFUXxaN(kZ%o&eB=pb_@BoI2toFNH>4l-v>0-=M<8I?fjAakZA
z5IV@5fe8c-MkWwA7@9!fU~B?`gTV=e4l-wU0-=M<8J|GtAaf=t5IV@5Aqs>JGG~qg
zp@YmBr9kK)bEYY{GSflk3{)U=kU29I2pwe3SOr1{nKM~|&_U)FGH1F1p@YmBut4Y_
zb7m|MI>?+c3xp0bXVL<pgUlJWK<FTI<}DC9$efW2gbp%i>Vmro9c0en1wsdzGkby1
zLFSBKAasy96Bq~`WX=!<LI;^Mhk?*R=8R$>bdWjI7ziC?&Oio22bnXI!A%VgrZNyX
zn9D%mU@`-NgV_uO4yH4>1JXg}3}_&9kU29N2pwe3m<B=znKP+@&_U)5Yan!xIrAC_
z9c0eP20{m!Gqr)xLFNo@Aasy9vm4xq=^%5)HxN3=oCywu4l-wm1EGV=nd3m{Aah1J
z5IV@5X%2)AGH0Lzp@Yns=|JcpbH+LlI>?;K4n7aiLFNp1Aasy9^Bo8sWX^~OLI;^M
z<$=&a<_vlubdWi-9ta&|&bS9c2bnYRfzUzb41FMUkU4W7d@O;3$qxh$W<L-(nEpWE
zVEzMvg9#8m!_YzI41pkYkU4W82pwe3C<sCanKKQ7&_U)5gdlW~IWr*$9c0c}2to&$
zGZ})=LFNpHAasy9^C5hcqJzvC5kcr6bEZTPI>?+s5rhshXI2EEgUlHhLFgcJCPolC
z$ef`Ogbp%iZUmu&%o!a)=pb{ZNBBfX2bnWKg3v+c%#a{-kU3){2pwe3Bnd(XnKMj+
z&_U+RlOS}EIU^+q9c0c_2|@>%GgyMqLFUYs@WB!erb`ewm@h%#V8R4}gBcS94yH`_
z6iNq~GiZX)LFUYwAasy9<0c3lWX{A1LI;^Mbb`=9=FFWSbdWitCkP#6&h!aF2bnW~
zg3v+c%%JdLm<}>$3<aTs%$Y<%=pb{3Q4l)FoOu+44l-vX1)+n?nMy(EAae#&5IV@5
z*%X8hGG{ymp@YnsP~kH<9c0ds3PJ~&GpB;kLFSCAAasy9(<%rZWX`|}LI;^Mvx3k;
z=8UZ%bdWidD+nEA&hQFC2bnX!!lMBkOt2tuFvEht!4wMu2Xib4989wC96<+}Gt7d}
zLFUY}Aasy9BP|FWWX@CzLI;^M*n-eO=FGMrbdWjYEeIWC&V&m>2bnYEg3v+c%(?J5
zLkF2N>VnWg=1jXFbdWg%F9;oE&ddu!2bmi^HUHJ8U~BX#?8@jV__I&pIQkU+?+-Nm
z=&4D?n0K<LAOGxA$bR0GgJY)s`0G*WeG12a^eNaK`Tsrz#&ei4&x~u62_1xI#<j_i
z4#G3z+GI`#p@VCaQ5}R1u1%(Oc>1G*Ym<Q;gbuDvW_A!dxHcKvLFnMxWO4_ggKLxF
z9fS_9P3CtHI=D6&;X&x&+GL6cp@VCaK^}w-u1#incnF1qX&wX)=6Mh}nCL;^V5SFw
zgQ*^#Sn1%}WUvRJgKLx79)u3AO~!i=I=D8O@ImO{+GNNFp@VCaIUj@$u1!XL5IVRv
znf5{G;M!#12cd&&lbIhLoax}&Wb6l_gKLw?AA}CBO@@CEI=D8O|3T>B+GGR>p@Yns
z0z&8@a|VGBI>?+^AcPJwXB-HjgUp!-;`yBpGG{0Vp@Yns3qt51b4G&@I>?;qAcPJw
zXFv#{gUp!`Lg*lK#)J?$$ec+bgbp%iSO}qm%$XM=M!+x9nHNIvt90gt5d1Qoc_9S9
zPG?>S!7tRA7b0_@1I!_GfH{N?Fo)0q<`6o-903I#U=E=J%pr7uIfM={htL7$NHgdF
za|j(^4xt0gA#{K_gbpxA^g#!hL+Ai=2pwP!p##hzbbvW>5<0*fLI;>b=m2vF9bgWj
z1I!Vs&;jNUI=~!42be?X0CNZ(V2%Wa4lsw%0p<`oz#Kvcm_z6QbHp`tfH{N?Fo)0q
z<`6o-96|?}Bio?^%pr7uIfM={htL7$5IV@5c_9Q2=7kVAm={9eU|tA;gLxr@4l+j?
zNTGwwnHNInAaiyRLFgcJWKI-1$Q)r0g$^=D%0i)o%n@%u$Q&UAg$^>u(?5j{GRI>#
zg$^>u^Dc!BGRK1^g$^>u6CQ;QGRLD8gv{{(M4^Ms@#I0FgUs=fpF#(j<Fht}4l>7w
zTnZgzj!%~qI>;O!>mX!~4__2I$Q++~D0GlHK5kIxAamU3DRhuIZm<+O$Q*YJ3LRvQ
zOErYdaY3cfLFTxUQRpCZTtX;xkU91)1rF>m3LMx66gaS2DR5v-QRpCZz@*SY=BOft
z4l>8|DRhuId=xs!JiT9u%+ouT$UMDgiOh|zC8KT0=vy)xmyFIOqjkyXT{4=NjP50)
zeaYxwG8&kS4kn|8$>?D+nwX3(CZmnX=wmV(nT$>*qm{|%WipzXjBX~Qoyq8DG8&qU
zjwYj}$>?b^nwpHRCZny%=xZ_>n~csTqqWKCZ8DmhjP53*y~*frG8&wW4kx3<$>?!1
znw*R-C!@{D=yNg}os3Q=qt(gibuyZrjBY2R-O1>8G8&$Yjwhq#$>@19nx2fVC!_7j
z=zB66pN!5YqxFe-A&Ltg%nKpl!MqRx9?T0N;K95Q0v^l@L4po4XI==QgUp#1Lg*lK
z=7kVC$eej0gbwa==7kVC$eej0gbwa==7kVCxX+mvLg?T=XI==QgZrF$Ar=H3+~>>-
zA#`w`GcSbD!F|rW5JCs{IrBmY9o*;43n6rHpEECn(7}DqybwYM_c`-I2p!z#%nKoO
zaGx_T#JZ$|`<!_pgbwa==7kVCxX+mvLg?T=XI==QgZrF$A%qU@bLNE*I=Ii77eeUZ
zK4)GCp@aLJc_D-j?sMja*dA~&FNDCsybuBh^Fjz5%nKoKFfYVjqJzwt7eeSDbLNE*
zI>?-PA%qSxXI==QgUp#1Lg*lK=7kVC$eej0gbp%iUI?Ls%$XNL=pb|Eh1k+`kU8^0
z2pwe3ybwYMnKLhh&_U+R3n6rnIrBmY9c0eD5JCr;GcSbDLFUX0A#{*A^Fjz6WX`-0
zR~9<RoOvOH4l-w62%&?_nHNInAamx05IV@5c_D-jGG|^0p@Yns7eeSDbLNE*I>?-P
zA%qSxM_yQR1fQaEfBlbc@65(i)ZhOeG`^W|8Gk!CoA+P-#Ke!Ms6zO&tl{W==kd>{
zDEt|sy&ThPd&ZMl`qx#4s`$FfHRJ0lfBuOHV@%@<AieG+U8v|0RAya^mu{7s%sp@A
zy}>ogzH%YqdF*)8(n+h07kSm%GB>7#=Ci_oYRzK5uZdfjd7oR4td|P>zVS_ysGtKU
zdB*iHyI+0PASKb5-SxlCZuF1Y{q1`b`T0fE=o(HX{qIjutzyhwI^7!>I<eB6W4lbf
z9-Obxea?Wlhi>tW7vPP5)mWdhk8kWP{Oyfb7;l^#-{Sf6Pgwsbb+*)BpG?efjyX@v
z81wsgZLZ<FHY<(q+WhQfq7JTH*D17V<E@(=&NVIlxZQ}f+YzsCPjekOXm$76ei5^I
zGF9-#8tC%)3FGoZzVMCrpU-&X?~GUS)t;FI;T67j!EwrCoL?2il#}DwZ_XGe{fYZ>
zit){W-1rvDPl_`4KgR5zg=3!h@%OO*Oa?AL3eElVH68ySW14aq^ZfDWpuW%Z5$5^m
IXWxqW9~jQ}3;+NC

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_basicauth.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_basicauth.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e84969977dd8b540988306467dce82fc8cc9ae84
GIT binary patch
literal 5156
zcmaJ_2S8KDAASK@DM%PrL9NeN=AV$TAq0wS5D)|kSWq9yBRt76c?rY`RYa?ZxS*|w
zlmbenD%wI7sf^-4v<@8LqFS&;T8pJxMfu+)fDCQmAh~<@-S7K;<1Tltsk%f1nSzYG
zhK3M?0zR1DdJq#Ht&Q}6_pp6<x25g76`W~}JqJT|kpKj_^?R=m;-fvU^3a@Q2iLyt
z1-H&nPGU8C60O6}mu1eNAytn65=ED49IB^{=Eqk|*VIJz>*rQStkLcb5Baj<!#qU)
z+KNGoy^SVMccoX^H`rfZ_rDo}0;emE$kILQY}q#-++9)aaNhL}IqMt#N8Vpv97s67
zV$oeeb)zi1+aoR3YbZIs`Rqa3qjsJ@<-~^b*K>~-y2{O;7b(^xx)lt@d!Jtvyd)U&
zwL<1>`#Z``xvlA^X}TTHsw3|(+rK#4?74}M-Yz&%cXZaOR~H`&R+w`)7~X@l2Y%EU
zrL88cCJ$(%$Sv_jAB3)5R{<$Q>XehW&OpjoO#vly29lXjtEP?Sf3h1=SJ8fWHAt4U
z<k7Lkwd|lJzDFAH_^J9&v%T}G_69#Vc&%iSf{C`Ss;fR>&V0YA^H5NPZLAYZ(%ayb
zcfxUQMeaq*nU^exgK@geRoXPqeD|<Jrkj;}h^O@ndI__Qi!yGV+GTXp{_9J#mxZ@|
zWn*a?SZDG@b5gI5<@cM!R)1$_HWyI)j|7UZ8eJ~qG+FNc!Awi5dDT@bycq9lz5ncI
zR&^7k%{{Gy_ySMEHp$!0>pp<q-ac!*w+krN;jN*WG{YC2J4U_Dh14P9$q)6BI1o&*
zO%#$6a^;v0;-no>E7)J@I4tC`1k6J~_1CTeLPkF;P$TZnmirlpq;sZgQYbY0?tPD+
zaPkh+t=m$zyNX#Hxhp@dO&XK*>w?{X?a<z5bT>b+K4)Ef(&2=?owhIkb@1O@{FSoQ
z@BH@W&)?reUNsS-VM{%`xh`7+ISb3|ay!1_-<kig%e3;}cD!W&?E4*u=-+(3{t#d1
z`hlxuTfY5c_0$XXjd8XYQ>=FKb_##3*D?86=+Gw2U9_}jdqUF<PfJ?=XTM;6eyrfw
z9L>bSKFzc?v)Vrk^}e$->g<@SlbT}W{K)P_=PRXB*M?fX-M3;Ov1Vg$(6@u~{4yeP
z%7HRg@44ipT{d%n{x#l9-}p$&#n_*h_1v?KsLt_aTzFQeb<;_F``G%f!?89+jM<8q
z`<Ji#pN$n@`8E5R^!>6+qM^+FK<0Nlu0RPLx7G?u45hwxjB*l6oPe>jfa9Kh-Z0`g
z>Zed@h&Y3xkA!I;sx~ncG`wlQKtzr2-iinkKcI9JaRWpIjzdrdezJ6Me)WRDBbDLB
zzb*fh)~98q7`(I7_K9U(_R;I^(7X4y=*iu#9^W#v!z$-SY}OfWv2~)+A^OG#L&w{X
z9xS$!JnuGI`N<{QJ>IA6B2Tr5%cpaC$SlvE#vOwiF1wdEPiu?q-sGEjh|4X$#5XpH
zJEPb-wCrY}RZ;&;Np=0#KAKNNuCMb?>Md`Nh-koi%7S;^%ZiLG)o-rty0EG8#*h5S
zj|xZ)@#2@&Pj7}y_l*`EkN=>57rSP`tE9}i1zWY&KGiEKH%mNihscimQ;T&z*~V~w
z%u5|Ob9SgF!+t1bzfNJu24>kGyn%qJ{iU`@w4r&j?$X+U+NVNo-3+VeHiP%ic0>vq
zpT2LlYGy~&%)Sk^oXU$&7yB?Q9|Snq`Y=lToxQFYc3x{y^p=&GM;*z@pXaV`I$J(Z
za9j3z-X-Jos&Cp(nR_m_`n{^w_=yE;nL*5pSO1jP2ja~|0|p<k=0}^Bn$J7`S^U7J
zAFZGH``pNJKKS4X^17$}Qfz+Ofu`%{u7&DfSJFJ5&0?1Jt+hR<b&AD3Y#FGxXuE-D
z*P>G0vMg4H#taveE2~kxt|fzUiMCGbn>21@=waGt^oGa{ClA^z4m<Z<{F=gfd45@|
z&k^;n6wlA4q-8t*Q{H89Y}36I!^Q^2u|$ur0@5GU#IH%t)5^X2*S(Ue0epShtY2Vk
zX_E${(K@jxAkJ5g!=kY8!uX=V&Z7G3He}L}=nB`-qL5-7O5HFGAkNW8kOiP<!8S2k
z5wDen2;yVZRRg0{7rf5@gSa3zdN<2EK~)03@THlap00yuU_yxi*W`+Y2r>(yK<K{`
z5rhvOfNheo2`0e^;${?e0m4Ff#07u{v@a{~%*q7ND)6^LpVo&9AV@TU&@8pB5e*cf
zXavvLX>ryp5H4GvfgllJN!TVa^674c`DfSwmrSa?N$>DQA|v8n{RAFHj%W-GeJel^
zjVW5kDVmyE>J9k4G&nW|WHdx~2KgBZKEpPN6bGn<xNE<bKx7rE$PVA!mvwPqg_ixs
z?%Vrv)aX+*bg7At`gM&%-%A54=|SW@0QudOXrKq$jU1g|cMCv|&!o|&`M0Qj3lJ3$
z86sW-h|R!G*d{6Qz1#&NW_G<5aRzN#=!Wr#K>;x+6Ag}uiDWw1I~Y*s%gI!+lvs(8
zgjmEzeK8rqMY)awk{gsEfd7*nom~^+LYFW04^W0HWnKo<SQ##5%;)1Gl8tiZQUTM=
z-pLJO1&d{%3j~t=a3I-(Kmto}xwr%j*fMPms0LIOr|vf@P14^vA{y#{#A1T}@ey&a
zgFyz&i5boSppZUP3L+|d5#)C*b(@H&bvq&kB37<`7ver=wMrw1Bl@6@EEc+O!3YP&
zB22``Wo$HAN#ZgCsvpKp#TkBL5h)c5*r*W8U|@XQ%a!Hq&SHUKFaT6y#3&^=8zu1!
zl9@^h1qM`qj07EVIL{7sa7P32WU!8d3(8`#9h}%KS2QR*#()|?Vth7AcXIJ?bz`}@
zIM6{?hJ=v9^;J_HUEVb{43m+Ja50ZaA#ffW4U`ggD9Zz#FXzLBoKQz6wu>{{$wj?T
zG%i)(QZ^dk7mZp=Fr4Y+=HY5%K#gap__5L85MWLQ1Lrchav3QWGH|I>3?=}Vk5CN5
zMSL<9bUC^K;s#XCT%MRq0^TTO>`mp2{KGMxHx&gh4oQ##+&e&Ba!`M<5F<n!rn;A^
zeng0q7|Kn>q%xfJqRYt?hC3Z)4$oH&rjn$Dfv=Dg3NQMIEpS;n%2kW+MIY7Oa}?@r
zNFq##d(jmHo-Pqf$uaZO2_Bj1#lsZ@7iXwG*r9}oAPG#skZ~~q?&a{tC>f~~;3%|U
zcww$gMpql0EaoZERVreTe=^2R<4eVI5s$$Y3!t3yQdr=}(R1_>AtvP$ASqdIx+EBn
zM~FaNjOj}OOc^PdkPs+AyeyR9A~YHk$>??{Js1}#aFXC+Xap|DLC<K19XekM7}%jQ
z@F)XhG?DUV6_o{RRDXGdVvNx$`fSvd#gb&ad3?l97hH&9a#H+eWYk=jaTDIgJ!Q=L
z$zmxF)EFtoBjh039dMx<Qf(5(77(H|I}~Fp2pK`*yfFrjNa^J6?Cw4W5e5N+hjYc!
z;X)@8i}10aK0=&FV5l|B;bE3;kfqHS@ChD#mlww}QCke394{p78D3_*VsKzYPu2uA
z;n)Oe#)JVJ9o2hOGT5s&Lj9M+RE4NF?5A>=sj7UWav(L3rNGGH>`HZ*l$xMR6%rhY
zcT6fFLwTx{MZr5<Mq<eVLY4}AL5k629F@z!+Z3@BB?JOcGob1U939>kWFUXQY_41g
zs-w&vO%TfgXC<73k^os9c*E$TH?z_Suvf`RR3aq+GFL2?!pgrERQ}6gZ-i}P<wu$#
zVqxV!ylZ^rZ$wmk$qZx;6`XY731Ou2gX~g82ntrfWN9GRR5T>GR7l8VV2`xtFeRfp
za4<Agil=zdVI5*KnQ-qTFcD@imhzcuePqmG)^zW1u@nc?fh<DR8us=84D(h2a+oUZ
zIm}^CsCEi()n?fN2)_GBVHOV$0C#-G9{^ql=e}&r17B_)dRvbk05(CAP_nC!{|j+z
z5JX%a^;Se98sh!lWW@K}D5Ew`a)NWj$EppTKEVljzzHFlM#!9Sa2yzRf)UuzH$fYt
z#~@BR_BcPMKpS80nP6iGV7(n2q!6$EQ5(Mmtc|7vM6bC2y347ogoxZ;i1_9%XZYJa
z_)52~eFV|87Jj=|U24o;{e$$2ju-up{WhKmQ*K3=7R;%>6g{2NmA^UpJh|+**~e;W
z>wJ9=N=-!xxw*w}+kV5Bf4*2RE?PC~cOpzfvoo_M<QihrU>8gCaD3(EvS!C|!=}Hx
z&GVKVID9*3TR8o3UZ=#hVxX`N-7CaDm|LMo4-Z)Hz934tHuCd%ZBI0(o}PO0r`bP#
zblUcAVxrV7a-~N`$q&ZUcho=3<$GQ}0cppc`p>(ZORBq^^6_^$t)bv9rySnp6mC@0
zM)Q}fHx4zeRne}xwbS>)+*d(Gzw9%Q$~t>?Ve5%(`yyok&sNuO`t%58Yxb3}yW83h
zEZNu6oo-m-lwR5Qa|O+|uPf6(AE6bQ+|Jo~Du3<DA5Jrh?!K@ZEWEUAGxd6|_HAt=
zA9`!l_idCfEy^OeNjYh&uAA9z<ePpR^CC*jI^4ZG9DQB(Y2D+3!^<p|pQG>kHwm+T
z@L5()a$j9>)Lucqli7#-%&1&FNc($0``uZSaRPdKPv!(~mxH^UKjB?YYvqWyr<p+N
F{|D##My3D&

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_get_2k_file.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_get_2k_file.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7f0d8069778af7285bb6f58fa6b6a5c8b5e3a91b
GIT binary patch
literal 4821
zcmeH~UuaWT9LG=6KS)Yu>ms!1>=i^@Fv(5qKkq}ip(g%mI}1(KId#VLw!IjWm|lxP
z$2R7Ru#P=Ue9#Ad5?@9szK9Ogf)qCd+0coy$=FLLj?VvzBz{ls>Fqt{L|<hj@Pm7E
z$>)52-*Y)R=eMcJ(@s)N=01gjd3C$<#?~KZ-DDeXX)QzTuABLjtgcmYY5zFvH@J38
zA8b}H9;qIp-%mI}Y$3#1U31D&RaN6~EO7aLeA-B#RXYix<DA7fD(-1n<9OaZPP00F
z5I-RpYq-yYi=`$n|DT(z!!0cgK_Wo=SE)p;CFD!^(VEURtK%15{Da3u$GquyuAJlK
z!&2t&|ME=u<gRV{co5wC6N?H35tH^l*Y{6gc3^y3%(G?Na-PXN?}Mv-RbRh2zY6j!
zL&~E0T@`R{F5x-MO`~q*IJ4l4!-W>}Il8=+=Wsra@cDxGSs#f>fzV$6ke<|}4Y62X
zAm|UeT^rJ)h9V`?iFk5^UUtZ`>~;-|YFS@+SWDqq;y^YTX!p0Q@#8@_k<c>u(i`x)
zU2Yd`vLI;kmo2>9e3LI#H2I+@tXGfRWFs1+#hQ#<nR*MS5uCMFlT9>q)|V`WWLetW
zZ3=oGm(J!&FAp};d#PeJ$KIF)3T~o}2Eo|{Ia*9``|Nq1!x|kMzko)m;3u45Q@@rS
z)3S=xukXtwwW6-<Z<G3R#z;C92>ILnL8MGaiwdm2>E}nYS)YWp#}=z)y$hV3Fs8+<
zKV8txbC~r>%et4hUKcksMT(6aSS`sNQooi#zQHyrC@X7P6}eSf-y1Wfb%FHZ@A$!N
z(w8B<NF==<oZS$n#iVzvJk4{M^kqxBkC*OBrwqKnJ|mZbd_0p$>WR3aBj$9%&<x+G
zk=5e+Oz*=2?}5Mh@oe5R@NN)!p8y9lUM%LlsqPI9^PaK1JH_5TT58xBQ4n=YhiQ36
zV0r9OS<3<}>qVC5!J+>Fw3y|d-f^D8EDM(97T&TaK5F=S(}Vhut__Oc4Y^%uT|577
z{4B8dsQjq&8GC)OUnsKwRgm$DLp;Z{_xddRG8xB;@5UZI70>3(jBg1n^%p$dX4wVH
z4@8!Cz)_GdEtYZH?Mpm|S$0{LUOr>f=nsKWevBvCj3VWXo`G|(h7`**s<~S`$#a-d
zq-cb7y6OgRgk~zAN&=MxDhX5)c#jjH8^}D?`|q*P(=yk4=eMC(qV+!TVD2A?d|g@Z
z-{Wch->A{|v+hahvFvl<p_U%YLfF?Vye`^lDFTl3Bhh;vGWRtN-1*ZwD0K=rH&Z-k
zexC)OhI%6Mi3&K+kC){{%W--HoX_s?9CN=`>?;h8{akJJ)%>(H=f5ICP891v82d*d
UM-y<mCwLCaCye=uf>V;uYp^oTDgXcg

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_minitwit.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_minitwit.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c096cfab46832772f102df672691f558a137b0be
GIT binary patch
literal 17512
zcmeHO30PEB`@aLYKvE>-XKH#GDJ_|OMurg(kX1lXz!kB}aA8J<nPC<LGDXECE#uQP
zbNLcn_)Pt~V6NF>E|u6<iH1q0rI~4|x%Fl0_ntFz@9Z<$lRf{ZN1o>>+?o43zu$S^
z^PcTJtsib~@FM~U=I72Gf+&YSu8jX___5aliEQ{C75L#09rYup?Z}o8L}wz2AmY}n
zk0atbb~*k2zd0%>+9OAa?5?eClhBtp`rWyc-#`$40Ufq*{QUzsoX$ZZwY7uMX90c|
zeE$W3L<ang3Qz$2&O|>kb=is^4OIaC)&&R~)j?z*Im)Z<eG%%YT;5e)Uz=ya5Af?8
zL~I(@fbgL%f5bf;u)T3N?nl@O2U+f464_g>oxO&rAnt47e{bA*_s;#xgT2;$3w2!g
z#a*)0J9qzOi2LTNEcZ4dyZp{i(ApO6Kcso*t_J*jZ1=Vo$DjED>S*-EUAsMyNCY0J
zz>l-fNJpMR+$X%la<}+QCD`>+O$a&Qunu0b_(}@0DYE5~uL6mU9MA^E6_d04jROd?
z=R~)d-N^y#Qyei<l5$A_nVOrMEfDcV!9l4yqe(%EqQrdBKsg^CiG;yHLv&g#tu(21
zS_N53(|R7IQCHCLoKmW29(-yt=rjtljH={OC3FnD5wBFzdH^!fl_r78RHlib^m>h2
zNg)tHC3-TT()nqbW>9&IkRKKCtl(Mvn>;uu&qy11@g=ktz%q5!YK?{x$oN9Ce<r0=
zYfU<%Y7m*GHPIRp9*|i%<Y-bPoFJbdeTIyO8tGAVVY=ERkVzu>l7VFZ^wiwUj0jSr
zE~Uv7T3M=lh8&_Y=*nn;Sk4#nMKYm~A1NYpsA9^Xw!X!v;U#I6x+1l<L_wBRtMw5@
zbg_mq(GkWXrHcJd2Bj@ALnA0iTFcAJiJ-NNlHed@zdc|-)+b#1xil#U*{^&k*w4P7
zU+UU=>~u{?r$x1y7W;uetb#tCf-tupxAS4bKY-|neFOf%u_-$BC4_lZI2B$+<w!$l
zT~A$T1p3x;znbp1g{Y6jb+N{dRp>brJKpnwP2ji`y_3NXtvk~2Nz1I0fX`drwT5uP
z2Hp(z0l;S4!j-o)bvEW5$zWS~^8o);O-P9U?f$m5K<$Cr;#<Jn4}Aj_!UdDFHFXZc
z{AG(<%<dunciwWubm$-8*rRzPXiCFN%Xa7_LMhX8G&&`vQK3!*uH@8plp3A!L9h8E
zz2>YBPiap?R(<XT#;R5?Jk?Y8*aq+v!kwq|xE@HrpoxpCrw~c)Nf@)#EoOJXjAA{d
z33;D2h6+isP)KH_Te`atD)H*#FJl*%F_l<c{ILz-;=cfKjvaASNfUDMnSiMQ;;6VG
zp5LB~iRUnw*2ee+HwGdOa{)B0AUsr1{D%0-%dOHw*kU90AX2HK3`W`%V>T7@AQYpz
zU-6~q6|6_f)NRvK*TcyWtezc!ITn<l;zrNV_7tqAh{3ezsq4Y&iFL0hgVvUqR0>io
z5?a~6>x=zd%wEFOWXE3UiT!23R0D5R+^`?ho{HJ$GMHBOLYBQPpyL+Fp$!$ZK|zk9
z4W-qzxkMo3%lQ&AyUL`3kyFfvam-?h8@|N6ip7YTitWVYc@o3B;X_Os7USevb$On|
zB*OTJ#%*l`DHfAM%^K(&A_*xPs1QdfBvE8aX0Any1S<C0PwKH4ksC49p2Xw=W-{0W
z6*ra{*gh1CF*BG}%T%*so^|vq3)8W_nEn$pbsB6@kFJ~SiRo;>tm#bP;>xtMzC9gb
zj#fA^oy;)pNINo(4lB|rP0*c5G|`F;iZ-cD8aj3qtx>{Mhn!3%m`li91Enm5*$f#i
zuzVa8tx;=BNdv8k;Tla<8rrC$X%m-3Krvh#7nDXLmsA<(;ux;LXoAU{68?j4^3exS
zPm#KURB9-rF@~#$Nf0~=w0~BpE2=`z0;5%;*c^2k%+DOCL<`_~5c=E>$TUf9D%4ft
z_uxfw>?jpwA`3x*imIT=DxH}u)|s_M@Uj?T2Syj`3}qyR=c~YzDk_>#MjMTY4_QV-
zH!6zZW@qK(S`Y)H)mpvTWT%o#YN;|%Y=)^P`i)EKHI$N8=`=;OA%=@)q?X4p-__t4
z6T_7YeWBqtc7n=9W&u*}a8P?w2AU!bx=GNSQic_7Lq|r5v{7kL>(SJj8w=L7z8OnK
z7aB-GEQuP$QKr#cSf&QkR!|x<D9wiXinV<OsPQZ|5P%UZzd^sXTGiT+$k+%IT0BE-
zG?BVuWDp~30{o#yjlUF_4D)LR8Eu3`g0>`<jMwV4Rb@J}5ggC@%tFvuMrky$PnQ)@
zXi|>?1y2~s6Gf3CnL;d9h$Hzjd6Y~T1+U?6THaDgVo9qjm78fJY6Jj=r<RZPv5B;a
zQfrJPRj30qt8|k{la8c}r6fgKUntW?3-tK=e<E*)cfu%zP^u6Q<O@Yokx1^!dlV=|
zJ+KVcQEDyi%$v2UB1fr%NJ^TuWOa$IOlKmMl(vY}f#ahoC5R@Wuj>uE5(8C+g6!Ss
zDbs0TJ$83Su!@l>WD<T<q*N}7bQP0qP?xBohd}*K?QhdD%nVx9Bt#w{P2Ua6d-N6{
zDiSJ$GKEmYkCMx!Vu>r!c%xozpiDZiOi3$Mz0RP$k6gj6EnJ1-fl@b~oj^gzc5!H1
zgN~#OX0_=)H6)OeE2I*>TrQJJMXn7wgswpT<IvYwYWIzk1ZYLUB0WkjapQ%#U@VWE
zP@FQUXqe*~?^l~ip^GSBvq2a+FiH&l&^c5k>(oY_!I5D$#6mr7D57B?B@>||qrWLN
zZKC;htr#sZYhnXoKxN{x{UBMa)0t=kj>>MvRgwv+@nkZL&ZT&3#JU;70$Op=EWh5@
z9A_S$;|Q4fh;3?FzunUu=YlWH`52S$7V}YuB^<kQ=>KaV5fMP(;<{-X&?_kyVU|&D
zH&eQIT2v>q&706>3bPHyF5#HTxVA*Ct%MCS*cA&7x~oa;-7czN7N#{8!ycDyb4jT(
zYfI@OFWYX`1)J>^v>z256dWWG6$S_OnFCWv^yB|_Ub^wHFeJ9=y~4}WdQRD=)_hmF
zdez}j|7Gfil;lkdM(2E78or~f`;_Rldo$;+j(ek_-|+$JTQL=*_ATi#VAqdw>Bx_N
z`S->>LkkLwV;a7_6guqYQ~BzVU)NOxCT$!O`|L`UF3uQr<>m2d+8&>-@5KMSrTO<0
z9T$jtOBV}@3!aN;ZfxxI)77v2ZZ&n=mYr7I(sI6SUXE%@&n3#;hE2miPdu|Kd)evd
zvuD?Qo1%T8-#>SUR?NL|-e?l?H}ou~hIQ#tagdrB6R}ZOs_3<=eMRB4v7EK*-e0KS
zyz}<z?V^Vt>96g%uH?kNvj^8^?jIiZ)&Ff96cM9(gS&tCsjqfdeU>)za!2~mwU(Qk
zg9lUys&;KT)RO+;d-S-{-@}hAXr37t^ZJ2vhomLTFV8)l(K~y+tUblFKXX;m*<Y)l
z+7Y!hqG3^K=b`$>3x}n*@&h+tU-<FA78NYtG~?ZAp}Ozl<DS->sQ&NCAIX)H<7dM6
z4GvOr{_$x@^V`qu?!T}4@DKSbK4}n+RPKs6wQ^s@s*RDkl|wZCpY?y5{_n^mEz*l&
z53jhqOaB}H6LRtC@}&oIrp_y#FI=HKzidg)q3yK|uf2PtUH)i)QBvf=@m2eIp<fV7
z`W|aP`Q+$;Vr|U_`nb1~K3jj|PD*=u7i!_GwBCJgQm-Wrudchfc+t*>bJsQYn>zdX
z^Ao3x32W~4Tem3@!y9JKep^O9{%+!Tss7iho66U`!EOHb^-IIsX3yT;Qai0B{LPnd
zX%?^i{Azv6j&AAkPbS=%+IXk$t64GSkH^iQ6?f(J<-Z@87`A-)qFM8!U;aHJbAILI
z&R6%E5+rk`CI<PpK5V`@d-R%hk)uESRbI7vbJi2DT$nL^%41gt9NxWgLwNYK^eaUd
zn$Cr%H4X_Id}-XM!O!pBI`jI(Mf(E=TxlA<aPFIH_6!i8-?pfI>E_^0=}QU%CnWIZ
zz1lQI9`kA8j~_Oz__5c__}#BwnqEvDFdsU{ohg}EbmLIKw)Su0#{}$-NHI0Uww(Do
z-7rnHqaf={$<KL}-QVh`AGYmE@KV#VmETYL(6B`R(aneUwH0JWL$3%9f-O1AI<5_3
zhqo1Hdj^Uf&pE9Q>$k(2Yh#Uvcy!hWX6kD=#_^nD+{RB@>UX${n^z$g?^wa{y5UdP
zBFwDyo;Li~eqf1lA+<9P!ER53!-nRA4gdSP;g9Th0_?{gzPWDr$0g+<`;|vKj#1n;
zwBf%IZTOF2#;E)!kPSJU4ngS94}FgC&CUMa$H0*Yzifgdes9Zxg2Nb?KM3JJ7y}=S
zfe*&OzyBDBV#oBL&R)lsi+E1HZ<(jDWzBz>v1QhK55|_i_AnXQZzb5z>)0|1k1Yzv
z*zb01nI2L*>pkbOW%WNEvf+cN38$o&Z<-MP(Q~YSI3-`4hC^6ChoqOfS!iK`l3o!1
zy?~zqf1~2Mek0r^y?9B!$lt;wy&&un;oiCbb_H?YW%F&Pq?gs(y>q7l{~oz}NqTYQ
z9<{8?pNW0QzFlVCJGQqrXR)tAo4+sgvzt@9_>1(1lc>!P*%DqXZGIh+fxbftFP93K
zcrrT-#S?@X5bGUt!)}Dx@uZUvHbRolIfNNSxnee_d&kVgeyzIBV&cS{W2br5+_svK
zK0kd_$zpQR2`b{*>I3uU5yW%n0r!|Bao}@%%=|$J^Oz4z1wL(^9KvE+`X8%ZZarHJ
zshtfx^S2<(uYF)9EJi#{{w$`GjV=y#;E6F$`M~V*Gs0Z6!6T-~0rL>zd18cj8wK4!
zm}^(Fn9kb8EM_=p$Cz7R@FRLc>_G*7oZ^|^Lq}&I%o7PLroG*}lSJG+7Bdnsr{lGh
z^EudkPNssBHa0&BmTzgrykR;m&C8@rN;vE0LQ0aclqZrzO2yJBp+w4;%6Z~QSrktq
zmPCorM(#i^ek&7FnTpkP5idurRl*@HY~M#f-k04WE$sFS6%wiCkoNyY9@YpNcFNG<
zxXNVGD+B_EG&KR6gXOp{cJFyw$o-CjtFYSxuFE!Q(rDx=<w@Wwc6nN8Xg$8GCZuz3
zTb|bVFz9}f2=m|+KU-LL$xR}nTXA<*MX=igjiGgwf|u4IUv<sX8Xtyz7;-!jcB>C;
zf<Sy7^0XRHb5y+mf4ys-7GQ50ABOU@a90Fuwk=$FOIzn6Y?Uo-!oqt!;6Dl58g_YF
z7F>k+J79{S8=~TR<n0&MinAArlbqVZf(dzAL^n%UL_AUP+7<uOysZZv^e^e4oT=WO
zQWlMzveS!<13`8Na`-1J1#=cV?zP#R^3scb!~}3hR9u~s$dbii%!zI>QD)T;N2g>{
z!X!c|IV>xe%*;wmOHNBl3=TqlAYhhv39UHkMP*BR!ToB^Vvr&CBtZ$76M;M`ZX}GA
z#bOBsP7>s}S&)QbjuM<weD&r+$l{G)Q+=fp$ab@+(fU$@6Ju1i#2A~J0#9nz1EvOa
zpyEbNzHBg7GtNm(0jq{hb+Z^bsS=KUX`_P7HPeuiB(aTl=%7AIAr)ChJ7k@0zVzTj
zFqQ2P%%<l>PkQ>)`QaM{<?i)RvN)_K&q>dVte!ka>m=n;kd1togFX`V3=r@d%I6~j
zD%&ZXO;ocdQ50Z$%Yc)`V^R4|qMBJzYzCagNM6s^>@8I4OAOv_SJ}4PZDL>=Z-1m{
z3jwPEa}-zy6*nH2B1^zx%ACZsv0?@}S_sYo+0=P!{x7n_MqktyU^_TX1#s6t?}_>~
zUv?ORsgHG{ex9Z7WC!N((`zOo5_8L!n1xu(0H)$2tR2)Lp2UQ`<mWYcPnL+qOlB}G
z;awfVieZ!YEVi}8sD6Oz)%{<`OrK>??U;7;#5B(r<|2&wj9W~HgCv_5mI5Z9L*U}N
zF~aGcGzMYn$GV+;cJJJKW~9vv(d?7m)OQ_-7%SiX5jWEX?Oof;tq>1G#@&YEdkS$D
zD+^|Ox3Uapc6YMR7Kf>Ux-0n3633%Gn?)2pFk9ciR_^a)<t2a{>dAA~9kJ)>yc{K@
zXEq_s&(1q8N00B~RrlQk+Yp!c_Oe(REIb&^fl*()7}SBF!E;c7AEzZQCvWghglXR6
z7891Z3ym!1SM0pHn5s}i8WJD=`J<~_=0Xr$?fH9M>Oqa(^iT({3%hkoQKQ#C$vVf1
z(7JD?UH%eT$j!no9b3-2_}b(Hn{Zv&t(cIIKN0ZT+$`+U!KmrX!tNcw_7)D;EyKLS
zop`qaeknM${lX68qP92=n9qarq2fA#a!S|z3t`T^;1&~Iz?r~?E{us6c5WQ-&so#`
zt=;mZ5A$+JWQswJj45CYMXpo&&9p0zIK?d1ygNfW5cyzOR9wwVWN^YT=1Xod(fT6J
z(Y)*uNorjpC1>Rgv#yU0LS0_n^G#G&J(sEL2<}!_9svzAJn`o}+JP7k%u#W}Ka<17
z{AV$k);5`e+XV5CcjWIO&&x6p$)Pf@0+wR|VN7Lq0+xCbU<6D^3BbjTfHY2DEMPW+
zX%(=P6%gZI0DD_T0+(e_N1p79d;=y=G8Ng8-{gsWGhljKDsaLv`6>p}N`4bd-Zn+W
z9?48zd`?l{@g=4ai|NBuY$xWZCozFteTaDqi>YKVtzwRP5_8w<o~}@_SGQV$#q?$>
zwi9#HlbAt(nG9})iW|2Y$axxzS<GNs#oT1Y*yh{VG8P{i;*04@%+zUM#69?yC#Ej}
zrWghnR9u;IxSW0nQ?cHO=`Duo9ox<!W*Qxqm^CDKOm-4XZ89^+?7W1Gv>_yyClHL1
z3=s$ta}zBeNcdthS*@is0zuL+$h5Uys=;v!GV+rxcTkwCG;on+nC&UL))K9c&4t`!
z1C4JT&_!h4hzxQPWhAxmJ$!?OgiLRgo@~Tdz;Ny_yp&dq@3_DXJ=ps$!e2mdmQh+W
z+?S|=s~|LGq~Wq2TxUk#G>}F;t%0jNB_z5eU@}yZR0*ZlT5^d|&z|SYDyy(ndND0%
z^Plm~i%)i3_}&-hYK+;_EvDlth{b#&v;*-OSQ!;JtDyIj#v)AJHpf*^-#uMh+uLip
zcV0R3m@U-79QiAD734J5Fj3?WErHx!oeU28bJKd25Rz?Ky_qi`e0aL>vBVpb_kC1w
zzVw(WELHkJN|*iHH7B`y$8O~HxP79r=j#&Vr<aCLuG@UR{FThD>E+QIz9_5Jx3tlZ
zin^6t){V~iK6N7Rapn0J`uqJnu_-m8Dg8pvSu4+(J~+0aOQkGy>iR5>E@|YWU1A1p
zo*T3@>zNZ@Bs{;Xmqyy-)4mH^=Csr{kE~RWYt$*~D~jHc5i|Z<zjOZ3YpTc7(mxvT
z$whzlbK^$5bu=>d&bf?7s^-6a`*w#u+~2O4eg->QQ!tSqo&@`Pi({Pr$i9P|V$S&U
z(33-))@iKI{OAL79X{Hv@8RT!ArlhDU+@%hx(&1E>Aa>Qq?ZpNo_qh}xTb1v=T$#7
T4AyC9-*2$^A^6}=X!`v>#B#go

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_over_vlan.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_over_vlan.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..4c6444707c451404126669c513b1a3dba7733def
GIT binary patch
literal 1946
zcmah~&2HO95N3?VZ561e76=NonetF1j>#pd$UoE%;?Q#JM79NshLb}NYjP#hCb<l`
zvaA#Z+MasUvB&n*-U0-DgI;=XfgXxHK~8;wbe5DH2MAIMly+xlXXcyvX7tzZ&wpM}
z-c#n!t5=G01vejGf4}$XkBaiyLisA62dmS6fBNCKPyU#GhbkW^9cAHK^V(hI+r?l1
ztSHKd_%6PDc4PWt`s8U{{r-9H`rTW%|5lXy9T&(+%0w=B#t3Y?ZjYF{S*>h%9!rG{
zG)<$>qax%9IoIM`yChhKFs4H$4Gfpx)TD8A`#g^38pCifU#4%-mUhpNX}SzcWNGeO
z>(XR6Li;wbL_6$PD~CDDw2dK4Fs@zxG>jrj?&t>G^mv?Nh{q9Yz;1u118cg`fTJ++
z`8bC?7glr=_xndHcN*Ykp^qly%?5Zu#$z_fXv~OZ=!R~ZHA}CrHlW{i9IFBP9;V3Y
z9)N|1bz{}SqYGJ0uj@6Gt-m2N=CWPphZG!i#xm$R7zKLVNd~+}MWENpOBjZ8vFhBq
zK;KC`?uW_HhT+o?Gvl*CL<Or>wt0^DO&P4Auh?tGno+GdJV}@*t7OAN#!_t~3eQlv
zT9IV=1<BI6TD~PsO3KX1a<#Vjr6kKgQ%Mv_m>biV&m>V^O!KdL*B7pIK2nr9IlwXu
z*ne29^jUVsG8;Bh>IF=5_=F2~nLgS9mXPH(98UzxtCfyR5zi4(O=G2|nKg5L)vVQ4
zt-4{T)k>G<Lfb{qgOK?)xWQ-{tX0_e1bQ@0FiqRA?79W_cijT9z|3myBt?b@b}mRD
z;^_53mnB0H$V{!&s+CR59lB=zGMH=dU=&H47Jk{rx?Nu@ZB{GIFE;lb_i?WS(irp(
z?{#+^P&Go1Y7QZr?j}6ic6YmABJbRcCV426P9s7(dx!z>Q3D}Tn~?E%tdDCt&xXW3
zAm`GcDJ{&Fnz(db_l2*vWxbk(W9*$IZ@tBmxxT($8YtEALKG&akg=$x_QfP({eUr{
zLXfdROZD>nb${!)Q$b+DT56H7VjoMEw$$9q7)w+#3xZJ}SIw9Sim4E(#-5DAvzGcu
zJKVrZ&-+aUk0ZSkfv$>HYMC-FfTjpV#M%#fO!Vb!flU_kCMl(8m;|K<Tpn|OB7I>5
zVJa@icS6r-DOI7!ZJv4PXrQ0uYP(6wqat8*m`m`5Zy-yhIyn74WTS}XAUKS21_Pdf
zRK&&t5isCL;D}D_vT^`=iDF9*g#GdiTT24`e+>wWIr1*Wi0AAc&EBDMnD|9Rg~}3<
zKM1sdhM0=&1#ILRA@G=wAf^)-(*%>pA&scVBsheNI1zh@EcF@C1b7m0>O(*iKVoGV
z&el$n3mQcToq4A>zn%pba~~T<oh3+Jo{4>yi!dqv5AgId(`k5$A020L*$3a;YRsZ9
z>MASjhi4G_Ep?XC8B+qQeZ(TXhf#BQ&6qlp#F|$(Z8wpK1*h|Xrvzs^JJ)mBENZ(`
zOjudZf@@7eksax!tNG}-?eKJxg~LG1<`wk$K#VC;bBm7>zkr0PM$P%%Cc%JZ++<GC
IV#J{2KW%Y9TmS$7

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_post.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_post.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..828c55c3d6b0d7170fc68f076039cf0452045278
GIT binary patch
literal 9999
zcmd5?TWloRS@w=dSXo#J<e~^g%9#?H?%wID?)GKuad&xluDcH7@nq~Fi7d-HRdu?$
z?7D4T+-_z@>=SR1$P<qUfw(>7fd?)L5R&i$A~z}I1!)n<DlbSpBvJ%O(enMLE?w1b
zJF@~2TI%kqQ|I#k|M~y#{FnO9*Z%Z(uPprBLh*U`-GzmhaO1u8%TM}WUR?MHZs_|f
z;uqifLh#^olOMi){PM!Rg_nN*^S}Dq!fWsU+~VK<(Z4UB{K-on{mGSuM<00S_l`dQ
z)xUf9t&e@Mz4UR+^wP_VD}VTBZ~x8hUur(u-P>oKNZ3xCh={$hzyGMy(|SvbPht_N
zw`}1jo6Jljx3jLTtkZ)xf*4I9H%~-j2%czW;4LlQGEEVp{guuuON(~`Kfyrtf$;5Q
zw8_@irfvI^P;4?DhOT4s#0mV)nK~Yi)nO2MD%KIc8Cb$vT3lL8L4xiDK001Yge$^P
z;OiSVSC-c|R#$FpT;rA%i8$7|f8ugaL~#;ny;XyR^!E3EVc~o4Tae#OJejCSNbmd3
zcmMpgg_Za3ewzeDf?9a=lPe^k54`jH%Wr*fLI3a{WI}>~K1qTqq{3FatL)+KKD)pB
z<l)_=#k)KKFZ-!zvy~p(;SpQz_SRUhx7oe9xw6b&-`SsKJP~I}XOwtupP3^b#Ujzu
zWT<XT`xQb1qc>!$FHDltCOZ)#RJrS%ilxOp5uJ)?li4Z66GVQex1n`OXoIVFckk?f
z_R&2?t86U}=#RPFw{=DM%GM&oXD|}n$}Z)tClX%Lqez1Cp3}#pBnegVX6l^k%4gIk
zx70g<7h(quS18QPc3fAs@9Dy_#ktWwHb_@a9Wf4rD5(q>J61B%Eph6YLX|gd=J-zH
za952@?h3tk!DKv5MnP1W>QSkal@S@glEI7yOT=d6ge20rW0?~(?z7!c_-rpoBU7+j
zQ*C8C(8nZ*9N$JSi)CxF{fL{?)XeYqd}lZmQH#YB*p;WT?Szek=p<&wgvIobdM6{n
zl8EERl#_9vyOUq1C%#CiI}4*A3CzHand_VgX`XGiGuivp13BQau$)-Sxg8`<;)*S)
zqd~%kLF!wBPS&`H4{arV23J*;-422T_QFG^sue|W9sh(y!qt^HnYbbz34zTTMPjHc
zoerq7e6AVASkv;!`a5MqXGH^ebj&!OwrQS&UU3X6>m=NV&M-a}ao~wLRQ$9>hZwHr
z!#k^3w=37JHp^wtu`^2tjfgKIph0TC+3CnmnjHkTD|iT@6W`$K)gkvBccMRrrjGe!
zbG6%Tui(3kZx7!!d~e{p-t9IdC5@?I8!Q1B>J5nrn5!{M*&F*i57yY;$no;sj>EvW
zwBwj<-`iku8j>xsU<kdSj(|uHuuJM|F%PQ2*_)||95KTk?f<85J$|_T@byjhSd^1m
zfr$M^rl`yrvPqCKvRJ97A-4tYI2$^yfI#X3!;}XY;U=Jr-8`&lRAy`}j!a!4S;iO}
z#Ife_vqF7b$A~2+uEitg6gsqyy(HL@_h47q8g#OG=1)wB|D%7q6!HH;BL27Pi2o12
zQy~6tezA`Dmy(J@C*KDgm8;q^j?b)tH2nf<uO0~Ba)yUwZFMualg3HlG3<X$q-7^*
zveGVdi-;4Tt|^t>lw&Vab7}4PnOX4u|AxNb2|S$G3Fq%!tG97j)L0!<PzQ*fm}$ar
zr~#hq96O%f8FCyHfv@35$;?M_Jg6qT2sxx8-C4c~qk*WT$73fMvDc+Bvs(nZ5NKWe
zgIRrJtT{}5c@j6BcH9oyb~|eGw%2;<95k}I%BgmZV;tIzLp|y{2hpKUKhK_(<6BQF
zyW6CP+MBYE_U5x^2Zt>!Oyg0LM|LXhx%Ip)`?z}V6(8nEZb!4#=Q>a*f(It<Wrp7j
zTJ6fj9-iAG$sfkIC;Qxfh+`Pt4!VbZuJL%{n|cpdWSw^3(?T8rKpw&Y(;Oe(S8`im
zmqnA<tjzqp)f_v%6^z?fU`iU>jZ9vRcB9jQJC`G+Do->LuEfjf-EoYbHgB~0Q{`mL
z=FLXNQKQWoa4}X_yEl5P%U!ic4RxQB#ugf$4UJ)9Sw9=@gc#RmpCU*(N*;u;CSd4}
za~5)6xOKhEu}h+~B2oI7pYp6#*_!IZux&sKhRv&nc67A&YptiJa0Pi=w4Juy&m@IY
zFk3-4`sn582Z#74M@KK!f<{=ar^P)RHjVZupG+TVF<j=Psc1^8zpU$AgR2bh`r5Uo
zp&JJrTYA_Y>HMH~*y<Yxqr>UEt*1t&QE0_J`0%@%x1xwoH0fRtds+;4TxjsO+^OER
zyRBC1`Ez2%1lbDw2?4)FSjtshr%^b0tXJ{qz&Zp!o0hH=Tq=E2!}AdCTX8{}jn*XC
zOUQegk_XvIc~wVGC&E$|c;wf0aDLqaZ_l1JIU)Xk{_s-7|4WJZ->f74w_Ys}|0}z7
z#K-)s87HaHf_x*9q><0~^OB7@bhn=7-KI=6d#&qA&Ui7~^S+}iaML&(W%BlbLGt&A
zkSIG|squ(FFwP%QFciaG$fL62;s|>u7$N{3v(ztInPb6do#BL$gL{;4n<1<?!bT4r
zn`OJ8p`~(}O_V=!eApZTP0<0t87!%|%ZR051;CjPG2sM7M_F53G+OXK5^+RPn^Gt%
zgD^{b16NI3@AmD1lPhoEzJ9$mY?{C~o75JDk!z~7g~Qf!YJ*AXJ#86)H=F@HCAUR@
zp*G)2OPIUb&2bKXEIA(DS?IeGm8APoD6YD!ElZCT=XhUW!MO-pu1i2FE`dz}`)M^x
zl$^l=3HDR@6f{U!Xe#T1i?thThSf7~u3N^&a`)y<e$(18*1I=XZ`@d`inbgocdH4g
zl-`;c3qr)|al;5l@sM<-!8Tbzn<fK=>iL15h{vf<PPQ9l5j*%zMl`<M+2@sAu9I>k
zRk^8n=8^CWVI9Se?WdvAX3Ab_(DtE`B>@v2cMzu{4WUernki@(NG~y)v~#D5*piSz
zXByQGjKG>yd;vM^AwM;MWwn6Ea!#4)a%2${KYN`0sYB;XSZWf4kQ5D59UlRAj951c
zfNIp+v1J0I5^NHcgUXb!!Gr@bqnSRl{qiM<{<(c+e<Mv2cutv~XEz97tF(h$8}W(4
zES~WEMpqC%x;!Mxvt}~n1ZbKsT0Wlo*0fypGl+3G7E8sE8u;!++1i(jk$7@JV7Jik
z1*aizO@&;gZ~p?r2=RaGzb-}mFG|G!Mji40>0b)O|Mqqr@pI9=S3=&?ut6u=sER7q
z1dFUoZ3B%6v0Lf)&e57;^Z?E<P6F&>CF_wzS)DvUAa~gf>_7{B`+}JU9e#eh1|4Yd
zR+c6pODhy5)6Satl+;voenzd38p_m<g{kYRkz<dNi>OK6iZ}|p!+aO?r_~WV6k~9N
zrI+-Sy?Gu|<WapPJcy@E8_{uqs3JFzBLi8p6J_fzI?WYS$$iIl&Wo{p`ahzuPF%;p
zhALaP@%#UUBAg$H&+p>*|DK`__RB*8GyxhRAk8j+24o--^4)-2B!}$kXF-Gr-C$Cl
z2qPGpn;F~d@cm?%BajcAWALS>N<A(Q^`e>n2b~nT<Z4USIv*)Yldm4Na|e_MWDQm_
z1R})$k1I=;<?+8H5&!FT#Q*2tC=mbqe_u!ZbC@PqE!oOK(dzjvq9}+|=`Vp(_}LYF
zsrD<`s63baR&X&2#xqZ6dq8ZeYpWXsnRF2hhj81~<vGLT&{1z|Hwfda?6XMJA#!If
zN;B|+dgpg4>%Uq+rQxPvg?$>q1co7p;JQdl2T?R(IIpJpKFR<_$oUH-u`OnD-$!EE
z5Ls?ngI0`IFIX!qmO3XlBBlC4W;_-G;Z8E*GfNY3Ni>nE@_@)RM{I=H#}0hKf=JT&
z<naT_*pH*Yw>5TOAch}C0^<T%l;CE<(wMTDlx#=5izv)P#1h5uG--}J&nY8Y2UVsC
zv56!o0$q!Zi6jz2Cf(qKNP$PIl{!=9WY7sOlE(aY8oVc^jyaLFouKjoRXP>EgEE+S
zud7s)?Wan8P<kFl;xl~J*zpjqS9}j7$e1C+)nKOFhmF4gMl#DiC!IOXGfkD-{IXiH
zsBkt!@j*mms$7_eS<ku4FJhJ?_iDdvPIV;QkX<Ud>Y(}dOjFY*E3zPf_fZ#g+&jqO
zhip&AKI}fCdx<>N>5$lq5kF5Ek`Eoqsmz2<Q(YQRaK)hFsAXl@btKm-9zz;$XcSSY
z9x`t>(mSYG#6{HA34s=`rn<3Wc41j7z4amQbxmV!W7!bvX4kmJy|51gZmb((xPs`@
zR8Unw%?&isSOtj(qE3~89cs2}Ik&9lDl*2ryhrZ+o+77#;Diu=uy`rr|CL1if2<?^
zzkZ@X{IA@vBR)YD>dKCf><V;y#<gR9kgqJJLY2Gca)W>*h=_cl-rKpg{a_9Z)5!`*
zbWp&Pp<v7qpiznzB{acf6kezlGenLyMU6m%Dx5i9>am`>oCUm;Jc-y?h?Bap4?2>9
z8LBE~Fo&3d<A(&^R8vx9IIS?Sm*TG2ij0o}n)5!{E*4C((B-BW1uh~{UAZTt^1RTF
z(3k4Jk*Ji8rLq_LP6tVz4Px;qNL`DhLlq+z@C%fNHIP8WS%~yFU_3zRKLVyA_l`t_
z?2J@Ya0>XQ?f}KeiBIGnG6OSZ$%A;-t&m$r!jZK#shubwQ^}kgap0zj=rdOg@p^)a
zdR#X=>m%x{N{e#4g^Y}&3oYWPY6=NAa72hRT~T{eL8DRyLhAb_$;+0@^?ep|vps|P
zcn;{uH?7Q%6qJ?bb&2KSRL7?Vz%vvLP|J+GjKcg;fw%-(_pm=Rh%-;zlBWw;y`Z_G
zy*c1s9NJZp5kQNh9Pb+VaPw=N5fQ~l2E?+;SdD)T5yA40l3*+%83$)E^KID-9|6sf
z*bdSzq?=iDyDq+B0s8;yAJZEiE2@0WV;XqRA21{L>O8aT0rfp9kXQRuuW?%ErLer`
zJ`JGCFTDqX%sm~*?Ad%eXrk!^VdR{06Ow$CUA*{6st}+kq-;INE?#^j&OW645%zCq
z7gP6v5dX&?T3Yz%l?C~oeOKqo%isNLLj1kot|R^rzAO>{V+;D>XX=Pw6&o>rfij+N
zp6OZGM7byOL_hu%3hEQq#5*~7^N8aT#x#AIq7k!CqC&JMUoZiZra1rORz0@KQr7i?
zI6vlRvo9A=8v-(v#*e9rKcUyM=p~2juE<f(tBk{n*|u-GDYP1%y)+&a?UB*X2x3hf
zZo#<Kmi}+v5m-hMP6`C43O`P+7$=#)v3@c6FaAcz@$3sB^)h)W<h*8!w3*D`BEX=R
GnEo4=1zt%2

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_post_json.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_post_json.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0f66d0d58bdb92f6901b42d3fb8fa9db8577ea2c
GIT binary patch
literal 11211
zcmeHNO>f)C8CHU#C=8^B?PV_o2FxYNiXTJjgOag@9oOrm`LMgT<Lo9`fucqdZHi>b
zksZY_u!sJG-r7UaTY=ts=xGlH7T6z96pNnr+Di`$^w4Xcp+r%nBrDcBA1LC$4mq69
zcjkTOd7qhoeEpX{UM>8nkp2vx$+JHkeDK#o;TKnjzxc1PS-4vN@5WkT?Z<_}-~Lp1
zB!0hHyZ-%mUwwP+KR;J~`{jq#zyIcDp>XBOPgb-qe)qNZ#pmDdZ13(7)%80Ox1z3m
zOKn8V3hgerv$waSQiWbyx#LH?PH0V6XvI`C#jMn8x~5%Q+3-D&+1&BHIyqu2kS*6a
zW^p=a9+&Skufw}_VxW?B+hzf(v4X&LY)ceU4<p|z63$+5_0T%DB0F>fUL?2FTdU;x
z$C{#{+;-@69Mo@jL%+vl<YitYT2xiHd)PVZxvp(lt)3rrdX^VhK`%J$^xAgY>0Ddc
zk60+LchHwQdEmcvT-Q>|ibifcux!WUe$-thcRkKrf&{X?OCA%dH7IRVZjyC$lpV0<
zJ%_7hqpBDca^v2ey$AP;#C47s*<$vQf0Jy){Zh*mhS959NuioScCEG*I-_E#J@y6x
z%Ua-td~$LkxBaju_d}O?w%=l{RSeb&BgQ}8-}^*16Whs~;<Mv*>ZJ4135uk}+OEZ6
z@1bqw`<B<~TOBmPJb8b&$h=iyMO1KY<&;Rz`z#ztb%Mv9#qDmxa$WIyc6PQRR#Wxg
zR|@-B9pZPmnr{C3r~k^Xrt9B-vnE#3cVGSUXJ3AJee2I_$!hxj2VzAfi-ur*knMZt
z4P8wB)JU<SGAoB_C8HAeU*f)hB-N|sqQspZYc>2nm+EcHjaX4?L@-z@lIo|(#w`qs
zR**63W6?!XyPqVqEyraosji(BrLMy#3sg+gte8cZ=0zj2{g9y!MN6_hIh7iY*J3ZE
zx-|9`U85C6!+J6$bb(`XM_<LOgJz`lM~}I|n*Gg3QH34Q!TR&cC*tE|1C7Y<hc=3y
zN<DNI^M``8R8p!Hh1Rg1%qo%b?}=ur53GSITCHoeuG4zCMn2N;^Nc)|wl?9$A;YRs
z>?lgSS9>bOQ$aOaMkX1r@n3Xe?U;qakwk0aRag}m&<l_t+K{!fteJaBOA6Zg9QnEc
z1LXLX<+5%h!)<P3UgVw7mvzPUZP>mj*{%bZb3{$qf#93d!Y6!?@oe>Zcl0>f`uu^S
z40_!}84MRMA;Y4M`;!hG$z9HaiP0%qoHYu3FM@HgG>cMmz!|1r*hN&+W?{%e)SFlb
z(-3zvdG9b^jOSFEJu2JpdpsO8g#YTO=9imjax&3~6Za=lJ*y{XdW(g?twH<&HuKPI
zTnj#JitO-khxc2^Dj){$zSkKg)Wo|m+)LjRRc-b|KVa%@7P^iniefqh&Pw$sBC9C>
z3=6*xP#g{KR2ubSn|Cq%qU6ISQu@-!eQvR1M=aG*79dCQ(j4O<n!g;!(CeC>a||ow
zj_tBYZ4EFa$Cg`OB%e6EE4R9Kpia4qX_n08{Y7-(E&5A3ewcKgzbvo_N?yQ=gt^|k
zQQ{VF)r|x!UYZ+~b8Zxb{viloW_vL-N(|ljLEeHr^sVhK@Rrdq&+(RI;0xUX));Rt
zu*!R<cqg3V;MJT$)0C2-n1(`)Ih-q9EMv~q1Rqqn)rr)w)$EO3gN~S&S<`A`-^j!u
zw%-e|KQ~>rN<Om$xxDRj)ljrm@{zz^L^y*uSwT*<>GSC3QwamP0C5xDUDmZGje%B|
z;BBd~P=4M%lrtZ4=Jy@JPC;yEus31b1s--O7SEBtoMk3yp5T7_yXf#_qTqh}yXzCF
zBU-iZIh?h~E=Lp>#h-Hw@S!LavJOaGLd7=XdK^AT5_T-tC+jZvku?B0x7>t3)=Gv}
zL261N5yqCN0meJQB4w&0us5h)lv+J&RMyn0pywe=-YexS)m-nf5K+8(-;WyWUWb8N
z#XUvix$Z&|KzQppmgq=INYhqFeVWHi$DV=mugXq$1FTj-XM5J6FIc@Ho*gfK)}%|N
ztxZ(Dc)zWdm0DG)DTvr+#&U3#N^Y;6isceS8O3rVh=6{eL=2P`XyP)?Vz7wAyv)*f
zcDe`>R>{WBJ{dj>xue?98l|C}kq98u!Uy68I$Qb(o$X!K0M%7!6;7d3h%8M+*ea#B
z%jJ@l=pZ$rpOlRy&<pYPQp6y&H>PJf=o-xj%FlzY@eCo)tAo~zkn{YhMD1xb`fg5Y
z79camp9I3!kB&QebX<3v5D>dOI)?biV9G2+Qd6fw9Y`Uvq$#zUAa0Woi4m2nRX}2j
zka*7^WVt#UAs@1n#%F$bghl|Td3fAmo)-<=V`~~9lQu^knum`={c+@Y1P+OYVw}Vy
zslqi&aYC|NBpDhBG**Y7Q*^{2lPG@(6v&WdHgxea22xm42#Ek#;s5y5>^rW|y>xoH
zAlpUVi$ON4HO&RuY7S@<Zm+f-2todfScz>pd{PvMgB&9zauCwcrHe5!OvX}JmK_$F
zT@KGi!$$decs9=vD3XV_tfH0)dW=PsY-qbIWK4}Q4;$|VwF@iF0&*5RO$yep>@aN$
zDxmKv_>=fZ!cB~dk?Lme=3ez?oHjM<YjoI&iJ0M|^W!ElOBaco-Wl?k1&xf2^MLVs
zqp<fp<NuOp9KRA|W;d&Out~Kko`KUj53xR?`A9{~W+B?QWg&pzgu9bKsW`HW=|-tC
z){T~+8x+UqZ;@^!qlZD~(~WcOF$2-gVI8H)0ziAuI#MNeOz?*%eV3|-h+Stf>(I3t
zGy{cF9CMqqJ;=Zzcg};_&=w+9IE;wmB5@S1QA+jn`ik%+T=|Gk_N)^Y;mSxO2yxXz
z2~rPB$V$o3(?juutdzv{kV$Fw!S3Bn0v%$N9N-3ke-e?0d!(%Bt7P{PT_wsx9K3Jb
z|C9(Bq^wo-s<=|p_IE7aRp^BkTQTY-9XDfB%)%03LTdAK{PqXV!VJHj&s4+|EpY7D
zIdNIOkvH(0r5syR(gt_2g9u$Ut7#Y-{vkEhGz>$jmT9>*{sCA{${S`$F>2x>#Du(|
zmooB3NyGcZU4ujbK40G0Vt&|}l75rsrn@yy<hU!YQ^cx9;)9QO;*><z$Ry|BEtM~X
z7@n#ZmkN6gRJ|DXD$tPt9Tf9n%tO7hkwd-lNj)xicy7xIhVT|ykt;6Hw8pm=5?rIW
zho+6WLof1hcBBHHn&d`uur$2mr{G(x7Z39&UEW&)u*x{HT8e2*S_9@=3a=7tq5M3a
zvCw`fo7XqyBT{VK1(39i$+J+CGtHYtnu9#je9CaY(rdv^S){3%T3IN9DbkdxO2x#k
zoc!Q0d=hBlqb6Mg{G>=@QV2#9M@=Px_%o1Z;Zf58?yrJJb6j{5t&Z<L4Ud{ct5dz3
Whd09sL^VsFIAw)WK+UtWv;P4Hp8{|I

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_realip.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_realip.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ea63f90676ed156ed763944845bc0a94135d3611
GIT binary patch
literal 32074
zcmd^oON=B*T4wgl2u7tXX%`L*;(%2&T^TVQ?~Hs$WW68RUDZ|7nN9Ujs!e%>TSR!3
zhkKN}M@D9M7ZgI`${toih+V`U5tjud4hV@ErUCIdATbj6kvQ>K&26W5>Dll9&CT6B
zp4pG7nw^R6tnhGqxY=*N{crpI+u!=b|M7*DFRkd$_rJfg@(O<Z%<n%x?ETMIR^Grh
z{h6OHuiRK!X`cMq<(11n@vV=31r6x$*ZrTr`kUYW@D|nl-7h@<%E#4}l`nkh@_+c!
z7ruNh|C4|Ezv=!fU;N^ispsbldtO<go|}K7d;a;WzwX!n{SST$z2E-bpL)JB*)#R7
zd;Sgdd=*ckKl8(5Zk&9Bdj62dYmE6edjIL?|8eD4Kh9%}uc+}-uQb-5`=eJ@KK$Ye
z|4sJz#XmmzCiVD@U)E!dp`d#F%F3_4^848yZ{0W)6><CU@P4IMuAV=4+Yh51F|;~Q
zWYm^cRPOkL^XJ|z-SmU871;E>Beu57^~Pp-ZM$5nHmLM%X}P8S`!h-oI(<2iJE9*&
z!}I5^`JN{`k>h(iqT~9Z#4QUoN+^f|-`x=d>!f7$WD7&N(&@+{1{2AXsM3!HZqXVJ
zU8iGF`^pL3dHrPa?!euB+Nzefi_QSuRK~JBEPl1}Rld1({@gpE3`$pe(nG&@{r4Q#
zwJPi7s>t89I*u3lVSiWbdy#YnZissa;$2az9^wCLL0rMp<pbG%(}^nUYnc9q$iI2}
z@a~<WaGfVo+>)IqenDL82mU}-0Gw*MUfZmdH`c|0)wKdAZlz~dy5V(v+wpokqW7LN
zEDBq8T`Q7B5!#)8QtOW8^+uS>j*wpIor9wE)MSdb<cp1B;PVAm;+pS2aZvN<XcP^s
zR;{tUw!T@Xbz0xr+-_9YHXG&I+SX>Rwza)h!{zqYM!jC$+EABkjRsw=@1ldJ9jkS}
zTB_BmTkC7Jt$L}}s8%<tjSc+QsG&yBYTde0E7xcD%@v{+Dh`H6o6?f&8|!Vm*4f^)
z+gtVO_O`WcZ?!k8+l`Hl^`n7vGPFGDwqD!3`dYniJ7MH_o#@E1@$0p<E3eh7xWIHa
zHnuT}t<Ji%O4YTsdV9ONW|h`z8=IT$s#U73bvCvz=%k{(x!$2J>eu++hT}PrW4T9x
z?8+dJf!Y0Q^@i;PK+pLNuvka7Kd>BcX~R%jL8pHty`JMqvv$w-doJJEyng=N`E#_V
zZ(&c*rxNG?nf7$~AN8J&>CaF9=C}XqZ$KrU&!Q5)^Nm+lz7O(1f98kj&UerM3-|c5
zGkg3Bdi<w^N_>y#j;0TyUag9IZ=OGQAcJEGO3)j5PR9?tN^Og%$916ZjyUX(ilW*O
z*JTF{Y7J4_+G*5x)@tI`-NV^L0NWpXvUGSlMEhjJ?}|>}3PKsRMp3tf?Mq~W>fHfY
zqyCPlZ*OjI&!r)?I)<bG{0)F(K7ddDoWSv|?`v=<qWM>U12X*g6J(gc@jY6yU;8F{
zybQvQKl4KXzT7zfuhiqeeOvb!FWKMgCEF`x0Q|k?h3ogO9e(}(4G_wKyLYZhU&6)K
zZ{?(y+dC)lY4)XMt4sblkdc)@D90d*Yo^6ScT4i=$T@E1-Yvaz1(bF$1O;uoGAB9;
zoUPpcjh3`~a;mjw4P+~K?8x!Z4<e(%*s-I2%a+GZN0#_UQN(+z6m~3EwrX=avqn+h
z4~(wvC%ndJq2|jIRAaDZ*a@5=k^Y%&g%b+P6ZeMF69@h%=t!p5F}DD%$Hw;q>|fNf
zg?gqq42bIYL_Yp~;5l8;g@OoA!$=OwVm}gNKX?*~_NfS|kZMPLDWbr_j}CWcd6s+n
z9+h}9qUvH8_>tf7-B2+G+C4>a_w?XvceugZH?Hp=l;hbpBPVj@UJ3<Knm6*2IlX2@
zH9Ut8EjN9d7fK~@)%T+i;~R=n$v_s@@t%kPBsLdDr>+e9Qer{-AcU=4rGk;$o>gw^
zwjJ9e&R<DxRMyJi7nM#JruWJN2erZwGszC&Ch$sFV;O=G&KSkAhj!7t6gRJcVU?@=
zT=O<Rc4|74<DeGdyaBAz*4U|3xKdeBWozh!Ja5eEQr8+d?rH07VDs2I-2wY6uHg?P
zuvo+2I{r5Bw^^;O@<>)wz^;l2l&rPNlni~XPL7Pk28acHXP_`bhC|=8%a22`e`8C8
zqap1#;dddKQAO!Oh@!a=@(!f!SmNnO29BJV9j*U^D{sHG|JJP?@pjs&?aR<xRmd!y
zt~m8af_63I@({uWep#aHxDo)#0t{U~L<={<$i(&|1EbW26k*V5<p`D`+WKKwh6tz8
z$938vi*D;--#G>jZDK8nwDE6DH@DZUsD3_0$3Zed$gYiYy`parUe4+J!b9oVPWKV*
zjV#h$8-<ZS5Lm4Y0Fp|)!FU(N_!~x`qa8-g4!50$l)N|b&%^_7ejeC)%^!4uDwg%h
zad02xKQq;)K_ft;qs}N2;O-!}*%>>7UZrb+^!r{J|Kt?1=aj^KQsO2CbSLLcR2MXo
zux{)`eQ}EgB5{StC;*xTe{&K$gvfVCkPX2I@=h@<`o&%`C|boq;eF@fs_HB0>R$UX
z<hj*Htzg%A7(8mxKOcOMv@g7GtZtqP%TKvZ`RNBAJbY9r4@Y4?Zw0*(@4mvbBG++S
zwXb^EJS6Sp3%gbeG$VknByXr~n)eGuqvHX}doqd(!>gx<R_`q^R#bafeY9(pt?<<A
zKvcHMw3m9jgYwV{u-)JCZCQ3as4US{iB*<)nx@h7vqFCCc(y+-+J1+}SX@=`S}m?t
zD&z4urfVhUQ3PD3Zt1VbA!_!l)xvIyoI>=h{HmJKYEi60XlOL58?{Cqk~Q5JCLEi3
zqqZ8uRnrh#Ox5c_K#=21@9BO|S~1(gZUV)-8!G}?yo@Og)6^W()W_DbrS9hTQhewZ
z+rWZu{zAKabae2Gh4+uGKv+dtbc(%Q1u5{XSk-9nqL$No_z2%5y0j9spcZ!Fef?W>
z^X+0k?yS`>hfqSJe6E};?ABW?tL(Bcdhueu-D*Fyu%wTQ{g(Bx_NcJie%ODM_FH(r
ztuP9A0XYwvZ2n3RSf^zc7-)Ls5DKm=LxOTsyen1<g~GFEG?`ATy_*|(&=jFn*trX>
z7PSJOurHzLq5TN+*|A$WJ<Hr~r;Ktat}T5*n2o!Ue-M#8lnxKDV|baZ(~j^c8*{W?
zZ(-)I+nC!2AMh`c52I1L0B8g<8U>!Po+S^R@sz^*akX>^`C8%iTs%zO+p}G#m4hB=
zK~N=W3lxL@JtDfHSQp(qB9axxMc5*P5UjWd^-%`N#StJah2=U{C`MjV?AX|1PWM!h
zfO!;IJpo1I2+PuSdP2dhj624q>L@OPei|@S))io!0N(3gYOtiffXu~BIxcj=BXuv-
zH*N6tNFI%_%X1pF1b~_B4$LawYgKo9O(#aR-QMf37rOZls8NrQ3}_tV6=UwB!ZW&u
z4bXym4)WBUAWyk?=YVvTXYZ+mC|#(=R0%R7G4;X8&~urFFl*OnR;t4e5OdvKi3iT4
zcgb^!?8ya0P6FEt`GlrT>|7?zDSY%8coXMy%WMrMXp^SAT6qvQmW1S368$ongCMGh
zLc*0*u_N@@$}EJN)E+fQflGDbVY|MvSYf_VpV}uY`^;G7>`;yvmGikl=SU9P(mo2E
zo;MoiiXwL~YSZ%JrigqYVT*vC2!zk2j3Fhlnl3YiCG5Ow(pMfxvyy6+&9-l!8l0P(
zy=5J@L3uLDgzX%|erJVYE9a?V^;PORC(<rO{t%F&W+lgiogjp+3F{tIN!)dMY``;=
zJsM@x=n{J{f{6tiA{7dgnHcrrN6`3Z*5!WNqbP!$qwrk)fC6cb9mDOxB9jxg6<P6*
zRu1Z$YYl1S>NaiU2(&MLXi_{q#AK);Y+CwJVNmit_cXV6$PXj%#DKtRq23w0A=#<~
zxU$^*L(;5SQD8L?M}vS@05*yYxZ44=m_(+WvBtV}6M`n_HlUtr$2p~MRAS+qL{Zo8
z`Q@S4o6}RXVod|LSpgpHDTSH#g<e*LOBrNOMl+3h8VO)XQOF{OBiAhjPOl%$8_mcy
zz@c{uuwhPphM?={HjqO{3u?yjj>UB#EK5}o6!vb(2qsnVI1;m@JrgL&Oe?N44YH*4
z(~Tz9wrx4UVr2wK=nwJcI%>n>^(43Vi=>)T&6hUJ><BAu;8<?&D*pXp84(x|l;`XC
z_r;H>0*%9SeG6#SOfa(x`+-%0Q)gtCjPi=JC$7iUU;Ie5S)vC$bJS+JC0*HyaXF2H
zlQUCYlt7M%_F`7Ioapwb{VC_vtc+mg)mut`&!b8Sc`=zVHJWOWu+9t#o2sUm7}rS#
zp`-zW$dQ|)G=?E@nBlHx;nZfGz#q?`Sj~QIkBzmVGS(WdJuyg)was=QDti~L!EhG>
zb3kH|MbbR}g*Zl9IpmjG7LsbV$-Ed&#<VaV0SQV<FYNoX$h0|lK)&SmO0_DHc)Iet
zT_^=5)4Hu!j~_%VD`t1NEGdgr=o~|iU_+V7xZv>|LA}8+e4@?F!wh~$?pOSDVOSTw
zXBy}A6KBno8Cx=WqegtGip)8N$|EZPBj`lNTA7s+#6o$}`z+9QuqGLNNd}w90r6If
zg|SR;R9SJavu@qoRC|`!*cJ;-R`#q|f+NwXmGfaaA{mPKU|i7gN3b`?Jky{F#wFG6
zS?@uT&9s5J7{>EJ4*k$1CTYW0(}vJ2@tEA+0lJz=G%kAWaJakp->JDaUoue70K3>J
z@(BTlo&F@$FuRE#GhxOG%6-=YMTq+F0Ff5Y(wDHhWC9>p4P?(q#9DwKh{rJ1iZ+|m
z$P5mX3dJD^(tN0SIYT%T+*KO0U`rkO>Cv|XGmFM#7@M<paP>Uc{S@PI{8&Z~C+yNw
z3%YpyRq0eCU_o}%L@=yk{u2x@(R<?JQWs*YKQ6@^Q7Jm0M&lAMYb)2a+(ZEio%f)>
zxg@FO_HJ@RaXH0wULI|%y`W8Jc^ej52evdaEIkg3-N#|eo^2cm$rxH3wkrQwNs8r2
zhEd)wYxTKsi5)hpJNy-{?vkC)?Ca|3zMaRj3h(nnvKHB}u=_YHW62zwE{GHlUtfj8
zVu*+f;wohmWN>Jb?2NTq-NlgSS}N3x3cJsqrN#=8SYXAfhVvL56?Ui9azZbILQniO
z3ARa!HNEbFKa9X&Vv226As#nHh|LNyH)~9=wT40cc{JdySG;fx!bc7#L}mD%a%yJT
zt}zMoa)RqFVK8UowB{^0W~9^u8y)6&KUy6GBiQ64p5RhE8Dluya$>Snhd$F!AgvG#
zdQN?A(+4P(ma7KEcA*6gxRJHc<e;1Yt=y~Wtm19{sul?E%@hl$Z}ZbM4G}%}bl4{r
zD3YrZBCw7FFvVDLU1pKcecuL_5z#gL;a$)ZQZpk2L5+HSF@SkhImItcQ7zpKeb1!s
zx&m;mkrnaM60GT*B3f;t(I%|2Yotq3_1)2-7Wx6^_cUG*(^$5~2GYfwZev-K;p`ci
zW4Z2=JNJo)6#%^^OCU)a5e(rOkrMu5tWY?Ti=j_F9|otwhXq@$9{8z0^r7z}fWn2e
zJ)~HO)e!MM7OXdsWb5O?6{S9VkbBwJOeoSOv%1qElErRpFyB=Ow`~b`cQ6c`P})m7
zq`CUw?3h&qbG>JW+&u(jdV=EoDuxR*puDiVW@QPOn@h@Rf?tOpy#pANp8(!-uv}~h
zAD#yUU|^~|Dgck}k@aukfT%xgd5EVYa9O?#DFVRQUS%O53JG}veaJ<eAV9dZOCBD>
z4Fk}fd7;G~)KGa~AwIxlwX~~PnE`G%1Nm8@o7Gcj@{=EPznyXGP#0`9%;;LFwij05
zW+8*L(zWI&YHV^;5pJ5fPL56gHn^R>WqvOxo>LUxo>~hN7(XJ+>u~HZp@am=9~AR?
z04CTM@UyE;>O(7lGaIG{fxu87`?!lRUgBSdWnwWEeE~d-K(>U3Edc2h4wYUW13Lu0
zW<Ue#i0y;%fk-Aa5fE+_%jbje1)@iR6;r#x++%dj%#S$N&_@)vfIvUV2|+rqBAn$c
z6qC8?xNi}^lgHpSZP?Cba7l;*Dd{21ar-h%J$aMk(Z9VBym!DQdF;Djg+53R6HjJ<
z5LFS62WJ?|OLDMumK-gkz(V6fI2gyB+j8joryQa3S&8x|V0m_c;Cc8#$DZ0LtbZ%V
zJcJR++iK~I5WGT0rx9cfxL{MR6ao5RtZ<6+?o>PSvrg_MaU4=-kK!4SmrC#7N%J6c
z9SRi{H<$n|*vN!lbNGkGyamN`ihi6p53D7op;H5G^83Z`o($#_(i1^Y2=nq84ns<#
ztWs^K)TRZP`oqL>V(Lxuw5f|ggJmXDBqL!Q9J`cojs1~pgY6*Df!LJNa$p_-N#vpl
z?QCg(h?`(a$I4n65$sTKz<x;3Cgq{$D@uz?JZ@=k3&|>pJQ~Z+(ivjY;G`IQR_c2O
z)^doIQO9POKPrWaHiI@NB8DrXm}jLGEd|5<#LXNB^piIQ8YF}O0;=r`%P#f(&eD!_
ztTjbnBk&H9Hzd8BK!?)S4XA5$VlG_Tl>vFBnd8_O@ldt0K+H(EVD9c`1@}v0b_A)@
zBc^D}Rjiw=G4ldLV52>mXqe0gO~SZ<#t_w>!_zcDUr;=!=*Nf~-h>xq33wUAKR_!Y
z+_|TMj>kZd$H5zxZJADSST!~sSv_!2ln<%`OV}2DDeH*TYpuUufI7yI`_W*IO*uG&
z)e!-5Z3{v<yd$i(kU~R&Akr?wK&Zw3K!SByaJ<1+w3Hxn94+-38}XFNL?r&5``51=
z-Y`(2Ebd5f#id;;?Ss5}DLR$Ky?zmq1yJ)9_rSp$FhYt9JOe{rB@;Z{w;>MpP(*TB
zJU}opTA~Xwu~ICsF$bbvOGkO-{=OK66jUlt;6PSdAk-d{*_~bzUza!;%uhPQ%sIjs
zW<Fy~IGjvC<Fy&{fWcy5=>Qug3&&zULwo6N46{r#EN?iV*aWhC0-*c%!AotB?@)%>
zXjr`+&2Kd#1XWQ~cOMJ2d=$;fG6elx47xYTSq#3z$VeUxtz;9&x7xsWS`0P~kcD9B
zA{!!z^ayjp3*sgjmcrA)5XX&_xft;uv9{}YOS`mSjwgErfgK^&Blt-dgKs%tUXrjd
z8X{B!qhG2O6K9AkgHbJn&>VKIv2Q`~oT48mL4d-PmUDq0oK_6#7yA<vL69{dMA(pH
zgl&T)3dHjGOV^HXa$Hx&@B9C&a(oE-W(L@SxIj(9>8Uj32AgF?9Cfgm<j{7zYn{Tk
zhrqR%;VS0q4CrJlT!^}(uq@sJ`8$()j3}>C({Uc#h!P~?Y!03jyfJj~g_MHE=ppb9
zu|uqN<B+$C3PNwE0>{lQ*k+ZhQduIcrQMMx$G$OA;Gakd;{cyr0x-cnG3Gv^{-Mv(
z5uli{#C=jmfxr9a!W;$P;v5AZ>x=?vj)Lz}jsi0YM3SSR^5H8hzt>pdzsVd0jo&{1
zZ`9*QuI^FgDEO|*QGg^6_5YI1Q9uBj{UP|z-?5Of7?o@*?6-X+ky(s8%h}Z#ObK6)
z9kU2vf;F1X)PZe-woq&!ALeH_ATq7sn+pA4>Eh}`{big~wb_P1u2p`3VGD;I|0#^$
zA(<s&s`go-^OBgkUVp~_Psq_{W0kr)hb`+S3yS9y{TMOy1Lx#r^K&-jyz}-QHriR@
z?HdP&f;1mG;R+=Y`V;G9%JmA(1uh@^rSo-y+mD7?|A06xXj1IcB$qds5z%W}gp8_5
z?48zPDIrt=IJ{8e0fpit_Z8S16kx=cz*Y^7Q0cX#eN!f<&T^HVo$WNNHrY`@U%}49
zAqA!%L)kt=0h!tvkLbZm$4K0t6kn#(@#INaC-Th4beSXh$R{(v8DkD>T-vAXLiR*d
z=)#Jh3-`Jb$K}8fOi@{YOQ6Li4*KDJqfSP{j7^T%g<~RGX&RXg_W*Ct*q#Q1fHt!M
z(4TdhFNqBSO^(>(ibJ?(&@2yuRSW~FzJylJ;U}M&6X_1<TRkH^m#92$9O0S?OrNY5
z$4B9uiasJVS%X4?sciDTjwYru#v;>YrwiFjk5GC#*jQ?tfv{$6^NdJlQbr8q%*bS2
znGOXZwa#m1o+HR;B#Fax5(iB{f#9qF*$CvMi{wB=AL1qg`t?CmeV)XO^H$ELOHW&`
z)z?yW!iAM5xA$uH#*{T#!7;P%Ojyu771U;6m058~WZQx$M8mcO(rt;%DF6y>PuyR0
z4j{LegxDZ>Q<a%IluCIuHBAjye8)i<6c58}n#qN!ADSvydO&L~Avx?*N-CuraUcuA
zp>-4xh6szQTVnP90kZOiP??@^v|<M2#_(Wph8{UUniL?4P9>vb<Yy0JF0nov)M2}&
zARJB%#yl0;9%ltZz|a`y%UJE1J6uDthHBAKrc(<0gxy-1rA2ps$f(vv;uxUGwU=Ib
z>^yOXlq#z12fYgYs@z7d5S;!!iH;5_+6Jdsj_${)%5r-|25I?=Q;0-)WCo|<Q<eB3
zx5t^x=2yl3jNnnH`t;=7-u>hTHG-}+^@IT9#PJLtl{q;Y*CTJMj*%kuZLTi?wrsMa
zhp@wgzhe=SK%&oY*;U{zxuA^x*)T5@8q8Z~3<^pn4)TdN4(`1LKCBY;sIfNZ+Z56R
zJ=n^$0tgjjS&H*YGGxj7LJ?P$Oc7vs!>mfMoI5z>5dduAGr-0{Km(S72`z*KiChk!
zBLqo``<y2H#A#!XW2SHN#lk7Rv!5|yVdKy-M-WW=n2wU#NPQL}0L^)Ci5N)esNw|@
zO`XJFm~_a4gP3%9!Gs#md~j2~D>AE*%b$5WC#F!6mmUXMh;$}Fh%+38KhMTLpMn`Y
zcP<~&)DzSrHe$9TkoU;LNmu>~VXi}FjJfln4pKy=1aR?zH!vK7|CpC_W_)3P@krEp
za@AdY;+oR}VErhk7m>(Yi%($B;LtSQdAALKE#t|b<d83&sZeK}C(rkCer3)tNh{95
zo$<y!;62XUP$AST8A1uz8Bk74&G;E##=a9%{>X}W#)HgCrev3Wq5-v~qTNj#8zKEp
z1&r$akV^1Cj4Wr$h1xeQ*clU{6{L?jx--jKsAx=3b)^0^yIZpQ{B-tRJ{|cm5Xbnc
z&-xMPM`F!1bt`0v{fn=zZSM|LxGwfu-$C#goE=CN4S{C>S2C}DhKbW=GG*0Nn#=87
zPJb|`T-Y#{gDY8i_7a_tprV<QE|Has12Wj|Vvtq<zomHNo$LFDw?+PPeB(&nC}f%W
z<gl}qD`XNFg_XwUW^H?`x>c>#svF1#UEj*>y)lBTpjIz(%3zun^2(5hn4z3<u=tE=
zd=yum^H_F@6UH1&0<P*-F3yrW`z)r$2)$eMZ}a<wVG0q2Gc9b24CbPycNs-UwZ~zG
z6bUYvYm7v`Cs<kfTC$#0C0WIdMt!rkffV8OjVkhsui<1Hygp)U(Hg$M^)r`^uIDYQ
zxuh?UL~x!0P*zBB$^?b<Sd`}>OFM2+2o$7WphGA)e&ajO|LetGv@5>z{J$;4j}!x@
zC<c<>Q^XY|u>^;QL=?wdao7Wt$@_`w2sI2@>q2DZ&OD2V6ST_8gSE|@<J<nNH<7<c
zo!g$gPuTaJ=l|WrwrfZQCayu`qBO-oyEiQ-@WX3|_m<#ZQZGTk&5doOudh}&)_{nc
zYqhndWaI^+Uxra?Tr_d*^Jg@NedJH#n3BwDO%i2jNXTN}WxJo(!4cNW6L%7l0nI?2
zsi9==hd#7xVzy)Xo#(#=1FI5yvzRgYEX{sy+<DU^Px#3XVaAuDTRGdAMzhCnzqe6)
zw>s$G%%WL(pE@f8sXUAfd5$e7$`H6ar#O#^QzqBt@x5UPoO9I;kTZW6F2TD@-30eQ
z{2Fz<2V$$S)~MCDx9evheoTcjxg>s|3``@P{{A5&fEgJn#Q}uaJ%PMIs0XV9BAs9Y
zM`S(>MOO@)$=xJLkaEa65mp{vCWzZ2mbYi)(wnz!=k~R?#<#jzTuSc~E}8V|E=*6O
zP#|Bb^&U<f=PwV4aN%+Z-soy3%52xS8*6KgD&E3@msBi4nIAb~rC1(90FXGc@7Tz|
zI>GJe-77F1so>IdDYGj%kHqwR!YGr<s5?w(wBA@UnOg}uR>nGz%15kyDHh6693+nE
z*8)rvSK@{5y4&Ml3Skg+6k_o(vjvlwW&3vT6j^SNzmmkS^w$#1GHRO0wF#u!s@2!)
z>+2g^NKv&=7<+-prRk6Uo<)b^dlOaYXQsBvKeMXq3-L}&q){ZFDfvD5#Ll=6i3%oY
zoGXDl6sZ|5Vd$SCIoVuuO@ek6%1%T19w@V;I`AHAp_7LSGw0w@Sb;S%g6kb=l#@3+
zaj*uTKD-XI6oqrsyF9pB5e8V!hfKyVeq!u7pxk6+m6>5$G*@WuRCrzI#PP(*g~&{1
z;|(WxDFFt=U`BG*IA;+E!c6f>8KW}riAMC|56fjL0IQMCmmz0+y4mN-;x<A~5$BDZ
zzmRx1%!f^Viyy4c;=<&efEOYM9nYnw7n#~%I0)dSW6m*2nmG}6wy+nQ{OQaK6NaZx
zGsTMpvm<GD6!bPHd>HCG^HWc(RTsw$AL78-%<-@%dMqLIQAS^IWvs~<o)#n*f!!F-
zzA&>HvC-*(-HE+EwaMuQKAhd_D$;p-P*)uH8s3&M6bGCMnauG6<<B%MP|#;WIQ_vw
zVlxlpA|-*DOr&hs697A$1>kfT>OB?^I*r{i3b)Fnsg#sQ3-o+Y33U$U3i&!Njau!s
zP8H`<)@qwwt5)r_*SG3zx!I|<IddTfu(65Y!ZlbrIyt<*12OLy6SY-oiw2z%r+J12
zxs>z`Ob-S*&NxlupI;;1`o~bHD4v>-VSv2L$czqMk`mXE-6Kw|3S`#xQV=k#In$Ge
zLk@_BBWQ!)(X?k!FgRnSOHZL;$<mFxSN894f?1+|4&I8R4C!Q{B?U89AYpI^4N3fQ
zc*cn{7!5?NR99K7DI<CSoRUw<%?dwbVuZ#*&#>Y(9d8IJQRR8&wAeX;sg97eOaoDk
zR2%H#Itn}VGz9X2b!6Xn!I4`zL=ocL5vSOWPd6ZsHN8v;PLk~45_Bc6B_=`{_XSd^
z(J4{l2{_A$BkmM|2xKNe;LHbEvGLj&I!(yReTg^+RYqQUXymFoHa2X8FqsmTwo#}u
zfrr}7PY>1~#`ZYzA&`sXrFU>@A@p6G64*sNOc$@cE8)d8)#1r58R89)ky}s$s(myU
zp^r>V##tD46SZ<kh?zheYynF(13v0;F}lw7G{ozNO)zjUoOl6~oacIg$tGE_f076;
z9P32}a4<@ICWh9;+kb-i;8R=_f1M-Za{~)CK{-sg8=dJ^=F6B2eC^_dhYTo}>U3H*
z9+pwpw6*J%)!!y>RehHF(jCr^G??sszIiKo1PB3`9(e=V+60d(Jz|;;=mz?`i6mVQ
z7~zQ%u|pq96Pjb|ByThVxZw#UvH<4C@5s7@p66uuGJC%6GlTOe^At}R)?C&S3{E>5
zp0TrZm_vRMAck~cSqFkFabV16>?Ix&O9f<2<3ovP9-guNJ%9quy0KRzZZ(sQCXg`j
z1ee)#t-8|WcOo_tA&dMS$Lsor2Z1<Rx>siU|0sJn5w6G|b^0@fKJ%HzwlHt&>jlMg
ziss!mfDvzo`FYgMokJ$9(C<JdTom$^fK5jZoyoPSxr^z(Op``0gk9!=3%oy*nW<wh
zk#dsGeZm|d(yC0t1_%M)^rFmm(>b<Cw?L{Jhz&=Pk9?7av-2w72J+xGsPJ7J7bRp;
zw~Jyf!vFd2skcWOJA7u{PcSnO;lY{Kyb{+uqy}VqqI6(5C_vy9AIu+fvW698v^%!Q
zwt8P(oV_KTRzS>1Ztsq|ID1R7<s$|rx3{k@J}ENHfaJuj_-888vyA@uYjo^i<neA_
z3dO-C(fQ;>ggAZr2Hw|nz%Ouwgf)Uh58GLWmBvO<)>rk0vmRR~lP~6@dw4woUMu&Q
z&P$x)&2Ke&L7@7j-$4TrM0J=-Aw1B1uj7t@espq`u$**DJs^>XSnH1qMG8>DiC(T~
zgvvsMqo|P(+)GlZ$K2spDrbG0;^WDeDP~_<mtZ?zXnW1<H}<3x{e>hKZJ`Wl)ILq$
zk5!m>r_C?mEmj>1DI-Ja<_gJWKKteyA`wH%#e_Gr1|vCrycZ~k-C^PF&73ee88$V1
zmcEuozwRbon>gSUZ<M6h&Oi{Lcc0QxC<h0Z7QC+YLp}=i@4tfcN%WT-h5Gp7=Ded&
zSN?KgkAJ~E{@<BB{-@00s*m&wV88a)i+Vi&zo^IZKj<F$a23Xf7r_4Q^XVQxqFMV3
cdp!9|9^?PfJ;t;C+xo{Bw<cyyWBlm<0U^ubApigX

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_url_params.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_url_params.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..96682ef7de0d71354e6598d4ed9d77825298e482
GIT binary patch
literal 9925
zcmd5?U2G)TRqh=~vNDVmgcL<9A>Ap3b@xtJb+>=U9=prCo*B>VAbVyq_7GN<W!<W}
z-CcJ5ZQUxjo0*Y9UIHOOf~QD`2ec>w9`b+$Z-fXQRtO0m$TJTpuLKDR2_%x?JGXwi
zs@-;G1tPT6-Bq{l&pGFw^WF1P-~XFG`@?IEpKTPMSFak4H*oX&UwiAB|GkCA-{G3R
zUl70WgYSg9-<bT{Kb^eU*l9HW@~=MgUgNz_AAj?EfBeIx(?5OVb06<Dp8WFCKfaZ|
z`i<{=`SYJ`f1!(+-gt9i`5(H?@9tjv(Sw}>)^WHTSs{;|P7?D#ayxOuK)&k+QJR<$
zw@*c437)(yWBb^R%--!KV|mqBT3I%F?EQm-C!L<ryT0&Didf$siXhowb{cz~HDh^=
z9=sn)G)?C*?9jiyux;BSLi;<Ncdjp7Um({0{6Bxb@z0-XsBgwp#vrlwsqcT~tM4_I
zKmA8<5L?7v<H^T+#1`25=*ypNnE(1g#@csxf94%xub_;rbXVA;#|P~G<7bcVU0=Az
z6S2V#QqgA1J+{YVw$$ydvR-dvb!lUDojuq)xV~^V3=(jnA50>2PQ-cA8702A$?Or2
zrAW*)8R+ZNe!C(VCZi3uetY?rY7K;v;s!evBGS3%o{8%V`yxIQ@dg{Ffoq3x(CMuk
zUE;of<KE-D2Om7yVYJHDLZAMa$Ah7%i9p+0VEFV$f;-uzy7fiEOL{a#P~LO;c$6fO
zE<Q}%GgJFD{n@sDH}oT(xRxh0W@k*A+QS`FI74w^bijRKYG<w(M`4^)28>-N8JUha
zb8Vrkn>KR;H*vYAOPhPb>|HV$Pm@s?SEhPW>Q`k%#;;;9qrnl<j@^h9bM9E?O2z~B
zI1&Nd57XEdY&(iP*9Na)!1h8A7shTdL@$SBYqEow+tk#|@Am_DFc5Kz$%#yaZ?K06
z8;9|!WY&a9dPu#KkzlYB+}LU|9&m5+>+~cL33X>t944V1dXjnWsZb`;W_y$UFYc-V
zPle-3Bj>iCxQQpWl#Yf88-!`#^gCJO0zR~r^y%Nwb#^BV6N$AWrt1|&@Z8{(#lkZ+
znM^z(M?zq;MzI)}TBif5oPZlvG1hhhvcOK+(19Hry^byAw9W8c^pX-()=9Vzond?|
zWax`IRQ#kx2N<sB!#gWjx2x8zHmhYXuro^sjgXfSut;jZ(dnp8#xM+rp5PILPJDx_
zcL&^ey@~l0nmXo_jg@Y<y^QY?zCC<b@x6ubTDQBXC|R5ec9A8(1anbg0_IwrrR@EK
zz1>x|KXUziw`CLtj&UN{!<}^|(}-+|g#+jXbrhcPfi$GP4)dWJoPC&z*cCI}(f)sF
z`{|>Hj~;BWr=pzH355(6Geu?YfK9@bk;N)KjrdUDj<bR52?(SvFid%f5ncky*zKc=
zMrFpv0QjaxvXmGbN@@7~yigy{wWPwtRXK9cphIieOM)$R4|cV!ekYq}{=|g%|MKce
z#Q#l&_>DT^fAvv;_?}xw{3}U~OOfHYS}~S7MFVO2CDh(H6oKOoj>y{TW^gx^N$4}|
ze@&!iCuOqAE^~{J36RKE%5JN%m#Mk3cKpmNc>jMx-|vS00LsVtC)etSI4o+c_A96Z
zL{IEAVK~$P&vlMnf7lst928+-;77~MM{|9sX6Ia2Ln_jp<(n`Xh)Q}qc9Ri%pp2Pq
z6X-&qb@BIS^^LLSAPv+>+;rQr9kz$<xXs&s>$!Wln9WsA_1HSWp}lxy#+&Y8d}Pwk
zix=hi*7M5lHtC`9q3UCN_~OOkQOk%@IcoBFm@0d2y=<#Kp4odRfH{)e(QIvU6DSnJ
zn-V*j;WxupyE3tl=R=X?59OW70UtiXF^q19-J?xza5)KVvxh6P&f%tSL_7w7JPI9Q
zxB;B7<c`2DizcyInfYa_Id%gl9Jig&Ry4L3GkGnx7dxHtc$_1pu1+)(uENXd-HAlc
zAzy55PL-3fA#W~b94)rlB3z7>mF}(H%2HSFQA6GDqp^jCXG0}SEbBLfJ0Zrk*{29n
zj#399tO*#p=blGA5MEs`bL>(mttpf~;b%N+)wZVkFlbxQf<g0!WgH*x|7z>`8C*f$
z7HzjZ+{`3}Q!rb>v^LSpH4l&QPmYdRss)X3TF;AnHfUPyQ9hYDG9;Xkq^TKNYjepo
zx#1~C@$I*pmT4VwZ0S*ZWb(t_QESsW934&PZ9TU#jY2E-A%G{-+>T>DF_e2j>=_ac
zjxgYFc~iY>cU!I2%a_EA4YD=(69RsVaI_nyNuzM`IPc=op>qU&HXKtcxYRan1J5J4
zZ^Z>^Hd>Q#KOygFN*-jV<W(I#od`=g;E~@n!TC)GyuEnQ<b?P?xOV+2AOE)q@jrT1
zNBpn<ut5B8{kV?!n4dLel3FduHx@}62aLZg*_cCj>v`U7%2c!0x~b)i7qh+GbWIIz
z8i%7y-X1VW{T>q%WydQu9uo-4{1J@Kmv9$`F1*LMyg0_*35E!OOO^)ZW7mPvx`PQL
z2lqJPLx!;87#lrshb-F#11*)yY@+;;8^GoWXo?Ozg751TcNwu1tN=LkAvT<#_&95m
zMWX}%BN4|ba6>DUl|h)Ly@9Ld(Clsw`);nho5PzoTZ5(zd>fM5!Z318Rkm={dP!|C
zDYIuR0q_PhfT!iQ2rx9}TWJY%H@Z2_!H*@!!#|G#Poa`>KMKXwmy9LlvEm%x6j*RB
zf|lzNkcul{Q^0;&%@QSNut0(RR6Yd_3Kp8$n&4vf)~e<7?AvROwZ7E7eVgBQ)~&Vf
z?Uh@%R;!{dhpOFb0xFfaCdPsgv3lGv!cjaVU0Gxstf0+MfkO5CKu^Tp)F&s~3$qvq
z{3atBU+(P7$}ZPQIaaFN)O`C`_?B>vr8^ALNNY1~KecH4(8!XI37@-&Q=#zM^r)GF
zc7gN?vq?Mms)(%!>3614ZQlx=NyQgX!yfT73s_bQcpUeP*&dhD)Pn4B_NNcrbK&So
z7(r4rOm_nW+!C>F90Jv-w>wlJVI|lkD*KfwVS@<=V#YIlX8Yw!5dCxes{U4*B=DRv
zJ<o0sz*cDoxkJP!8gqEU^BYq`_~`M7D9@V7kQ1P3zG(S)>RZ!t)lXmIa4eRRu^tBA
zMB6%0i;;M8L14Gg?=`0(Z%v0>m2dwV!wB(z_vfxe{I4m*|8X7hfA4n+#Q%%`s3U$Z
zx=%{TCmPo8WE)jc#hPG|b*XKjg{+xV`n_|srWoCaGmMh}`&h|(WKmWp4-m**_QGLk
zM8WWqnfe`mal85*Xz*5+CLl{I6eZKnn)#H}RCInut&keZ)Q?4}=jpLK93_`glX?|#
z6n2OCF6mFJBX%gp;0Q~v=&5@1Jfz5@dPn#WPnkBN;{Z`bZXm}NvSz2+);)BZE2xtD
zj^|z!WBK%dL}8t{j)e`?w(j8f{|iMpKM<ea!|(q+MIG#yj|6A}G(td{UH%lvKqM4+
zA$Ld)+0{>j2oZVVq&yKuFf=bSwg>S2RG1@>51eE0rKT!9E)Vshng08o6uIPTOV&Cc
zDN2*C9<_4^lm}!DRx$)4#6SPVD-r*<72^M>j`-g+3dH~0^E%>Rz%;dL$yOGMR?lw{
z$6>51e+itz&#vH0wO`3b<+<Xwf{SrDo_RXk17g#?p}tO#Nf+T@0JmLVnlnrd9rd;z
zhmpL&K0u-lkvsEH9)TCsySP(X|CItNEiVNt>`MqHFbp{a&qG=|jN=Kzc{R=VQ3fzZ
z&R-x5ahT160EuNwWVvMnS}|I=WUZ)J>Vn*el<EhWaVZ4Con*vkmL}qoc%o9}A(3g1
z*a)%DFbo6>V@2n)r@NG~AID)ZG}wKC7=927j0;s!0u?BhO3G$ZvK{d*qA(v3ODy4O
z(j0l7Q$@CJA|MB_i6kfjU5AZ{Boaa<-SCu1fk$hUI#cDO--#}h#{6~~ysxB=Igz!U
zpz;A#Iun5_5b1r=RVvE%6Q$lSJr64h7{0o6eT3^3-vbFUW~p#BoGH0s<1c}c%yKVC
zXHN4>Q{^_ltX3>4oDEQX5b>BQ7dB$n3-0pkm?g=*+Ao_^9|<pFS4yrrXudtu)bz=U
zEC}FHF+yN-7diZh?W@>_-A8n<kf%Bw5_=Ny^OPa=(50NpOz1S#r9K5$EGx2R*>xn>
zD;`5C*A0rObRU_wA<{djS;!*l>O??`cT>|^w!5&b<=)zW_qw*Vy1rzIHM?uQ&HZQ-
z1l(G)#9$fGr>&u?fSMa<qOlswsMA$o=O9`t=hlfZO~sf*|K&Y$@AnKj4Fo5I_}gz?
ziTGbvi2q-8#Q%f8FA)D*|6WIYf~wd@?1t<LbbH3NV?mg&ET%$LyXSF>fFz8Ge4+2`
zZ9m+d1H*K(0uo&m@Kh)$83Hs)(V~PVxJ2QFN-+cEXj9Y(45-4n>!&{J=}TF_OUaX%
zjfFU^8+*T_D43zDVg_@F>8mPx9v`Z3T4P`@MX*|IMaD+~&3T_}7Yim?<Z)Y!LJyIs
zsqLt!oI4K4mk52S{u_%*=~yXyq3?8%<k=u5M`7wYBps?4d4OM_G^~LHBF-bE#{uIZ
zLjMsk6}fjLB2;IjqQW!4H+2Un#;!b7d&n%zlqC=3tXrYBjD(|VYf3v&Kn{Zq#w{6o
zX(Be6CkA*$Ku0~U8=Y?=>a0qOa=V3$tm8{9;<#!G3Ab=Wh;viZds9K9QUyZl`=-dt
zmdo{h7IU+h9_Hh_pd;V3GCxvKR+`rpmWNXvpBezqP}D~)GxjqI^G5~Z5@_vUe`XM8
zp12iHm#}(Cb47b|z`Z=Qt0E(S7DqYWH3;D5*El00ijNA2Rh6+C|5_r3<sT>ESi~w0
z&SK^}su?~4njx`0q+Liiv*vbPe8mFv|JQ#)Z+I;0>NSsP;5~o9jNGg9%(4g6_o+Z$
z?NhzRX`PqC@}37YfGWTA9tbk`bRe@A^XZ_8rV~W5d&X@@@=12_`Xi}AfTEDLwVPeM
z{z#mCNckh|f0$iN-3LN^_Dk0rpS#vj-`RI{uD$t{ZxG^t`{O#|e-tRh|9r!|`<Xi8
zSH(t*U!sf`n`e3!Hc{@0I?+$Qh=TfrHStak0FmPo#x#AIVo|bRL4{~vy<h?)O>zFq
zRz0@KQr7i?I6vX%vo9A=8v-(v#!sk<KcQEn=p~2juE<f(tBk{n*~7s0QfM_idu2Q*
z+9RW%5yYA}+`@6It^D7-Be0AjoD>L76@Hvt5+|9!v3@!Eum48K$?OXu^)h)W<h*8!
Ow3*7^BEX=RnEo3so;mpd

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/http_x_forwarded_for.pcap b/packages/endace/_dev/deploy/docker/pcaps/http_x_forwarded_for.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..19f081c54a29a6457f269fd76ef6065476ab1284
GIT binary patch
literal 1530
zcmaKs&ubG~6vywx*jEMyTftw5a0#MVGBcSZwas)AI@+|UbZlrw(JtgoC)cE!Wa4Df
zv?8|X%6~u?7JqC+LGU*SBFK9#+!TKxsC}aNT!<ib;pWL(=(&?N(KI@6;r`-tzUO=H
zndg7syy!t*RR6q)fyMNe|Mvc?GH5r<=|JuGrg5LL=C8T8S6fjWq26;+FY0Z1ah^@L
zjJ}lrS(yKXlAYG;5qkN$=i9f{lL&ddD{nI^R;*;0R(7NZr|Fs3Q>Cw(V$d#F(^2JC
zW4Lr>;R`}tEsx((GL3+e^Pkk&jRr(WU08j||7yaepZ0oMSuOtcBBev5Kd9~lK;8jV
zI+p1U-#<om-~F>ecM9lZGi_}f&UGNPsMn@sO8f}K2LPjE8S!TF5hZRu)0DWrZNte^
zKNAPyIu>z4*OQ_oNF1B6N{);(mX*m7!L;%myQf5KUd@mK?3-mfCw2+pkPzTl)ig;F
zHao-)j@`%iTXw~;(<Du2GVYED!El!liU?95?8j0-kc6NRa%UkSEOc@#$I^UOU9UT|
z%=_@dSJ(UZ4c?D|_fKcq813qzYCho3HSpc0L{0Rd15jBy8i}6d=XI1gccm$DJ)<4;
z*N9IjamgDT3P@P9CP*45iJdnJ;7D$YV}~r$aK^2IjI)kYltr;psR(rgMULHR6&$$C
z>r+J{V~0#SV%Ev$da#)_>=JRJd-Q(3n`8S72hLOFf*%LFux8je7?8GOsap<4WGR9N
zG@WDPlf`kHlw_=z3EbO`)ne0oI}I~ScpBQaaxyNK$8zJQALorp-pG(>urm@21fYs3
zVowmLSEf>`D;*+*jFXjdP>Rsf?n|Zkq-{CGtR^b;;JlS4(XpIm9(HSQ8+pPH7wIub
zOQ~9Xcw}&3a5pWolF+rGn39OAeK93Z9K$t=Cr8TT6H%YJXpRHs`0(N?>Z`l7WK!8V
z$ani<tfCL<L-AOx8j4umP{eA49m9S5;Z{QW@d~V1Jxg%fGRt|W1<o2J$N`GUDk@Hl
z#QUSZ=H>Invcx8esKx|HMRe&9il$V3zbD|e{kp>+7HB`-C^YorQ+0OJap>^Yv+(;`
z?C|sOhM&;)>(hTnoE@daS0|bh+kx0qBVJx2Zaq~eHg*IGf8Ol&*xjEyV$*Txv1c>w
tjCSQsts_1_M_i^F%^!%%{zBpZZ&8g$w>4;d23b$LS+A{WyaO6Pd<Q2j(dYmG

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9d7d170cade36037a6eb6328e2a5b1e386d4e993
GIT binary patch
literal 148
zcmca|c+)~A1{MYw`2U}Qff2|F4p$9Rtl(kL1F}IF44A+qBL{;k1A_ucnFC|mEiRx2
nAZFrV5Kv%XWne5xEiM7+K70&KH^^A9IyBu(AQKoEB;dLM(jXE#

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping_over_vlan.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp4_ping_over_vlan.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c193d65a5d126d5e6130c5b27a0567a0ad71e759
GIT binary patch
literal 156
zcmca|c+)~A1{MYw`2U}Qff2|F4p$A^`-O+W2*?IuFkk|cjExKoTpSFp3=9e&r4Ec~
tx43|sfS8GcK|q0lm4UG&wYUUiLaYiestF*Yf$FfDzyvadfk6Up0szKK6LA0l

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..db86b0bbebdda6d4645b305ddab9e5fca6eba602
GIT binary patch
literal 188
zcmca|c+)~A1{MYw`2U}Qff2|F4p$BP5y;En1Z0CS7%+iJ#<sf&AO??>1BgNbAdSd?
osexhoH3n7&#*)<H5|D}dlh90r=wQNWBE&|7nT(AL)8Hlo03!<)Y5)KL

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping_over_vlan.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp6_ping_over_vlan.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..93a5aab3297b974677c431dccc74e6bafe9be065
GIT binary patch
literal 196
zcmca|c+)~A1{MYw`2U}Qff2|F4p$9(dVrU~4af#zFkk|cjExKoTy1v~KpY+`2M~n>
rK$?*OQv<{FYYeOmj3ueXB_LCUKBAcl(ZPh*REW(8bAfJ{1~(M|N+uXC

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/icmp_2_pings.pcap b/packages/endace/_dev/deploy/docker/pcaps/icmp_2_pings.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fe30ecd7c1cb1154ca50330d2684a47c0ae03cd3
GIT binary patch
literal 272
zcmca|c+)~A1{MYw`2U}Qff2}IO;rsu+{eqH2V{dV7%+iJMh*s71_lL?G6%-ATU<a5
zK+MF!AfUj&%D`BXT3iCsz49%ZZjiBHb!fVoKqfFSNTBF`E5k>c-SR-YnP7JJc%$hi
IWH($l0Fta8s{jB1

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_counter_ops.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..0a837497b95afbbafd172afa389ba11efb9beb26
GIT binary patch
literal 2149
zcmaKtUr19?9LLYS`{QN#=Q=0uAu1m<LCT8JOAAd1{4@U$&cxCnp_k0Cq<oUQh!7MZ
zx7mZ{te2ufLn2ZHgFOTZ_D~Cp3QXvwA`p7a_4}Q>bGLKO+<~9FyMxd7_xqfCk00WT
z4^(0&Y$cO~DDcH~=37viR7opbV`=2z*ArFGR*u~~wMQeT38{<TsUvmHr;*o>S1O<?
zH$2sA-P47$NP4a&lOvsksCLH-#b$FTisowU(ZcwfT{Y=<XH?Pz-?11MGbr5;0i@Ph
zzaPn%P`$R{dGo6v2nn${_uzr6izeN!YA&U0V=vMnDG&Re1adu4v829z{!#4P9uxYG
z0lm}E_0r@h7%=;dAej*_0S!wccD-#x;*F)OM6X^Nd%_b9h1fJ8!OEwy&1?J%ZV2fc
z7&^jI*&LD~U!n;O^?wlzb%LR|p_8q`duD3NP6UZzFw+eQSQ0UiXr{z?R-%_|jkoc{
z5I!huS=UMhOJcoC#(Y<9qp|l71!Hm8g8{k+&6cq!+XL)<5Yn(DVqejDBp#i~N`yTK
z-{OgegV;P~?`5WSHVFNs`+!$TSg;>BQUn^f2)D2#c^!!WmA5R&8-VTDHbCCkA5LC0
z<Ul-KTDk$HGIdX7iS=*;OB&g?IgcY>7#2p}28k0O(X;c99~p_!oDxHGNL)RemFU$y
z;ToQ3I5Q;LQk|zitO+wDe#$Meg-XOXDf6wL=$<YrrxIg=M5mRe5vu{^AiIkre}=@}
zB_=c+xqlx&a#1-*oCk>|I}7~CNc;`N9*Dq_wx#W`io_CER-#ugd6dT!jeM(fTgE|*
zrvQe{+|T*cwNhcP1Yz?a%#XqrmIPrCmOAXUbQl$;vSVi%5_cE&(u?Db6$<0|LD)J7
zbMFjU<4v(wSD8&8JCd-#_e~`B9?DAe>h6&So@jtTYgx~j`A@|ONxS#1yu+m0E+MId
z_FfFVpW~Cze@iUgyY$uv5^dD~s^EVe{0GthcrWLFDwLylOk%xDNxnooP5LM#{h&$3
xWUJsBpM<?%2I6s0g(Z2f`gsy<1pf*)g6Os#9+HOZrqkh^6n70$YV5fv{{dgBG8_N^

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_delete.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b3d926b0e1195812aabc6274162a234452af0b8b
GIT binary patch
literal 1793
zcmai!-)mA~7{{OU!_6$>thqW}L_$=WtBY_&F3?sZ3fV^BqQQuYASk4^Ach3Tepp$5
zLc}bhMO}>YqHts&)y1|hV$s+t2(N-}qU|Eau;+R8Rp0mMI`GOlD4*~5`Mj@ZCjTO>
zf)4yD76BA|Sbyw$G`~-W9=xaJgzeutz0W6hUpcVa3EcqU2l+6Bn;ss2J2tTu*S1;H
zKbal+^O8v8YO%N~2%zeYjG}1{MRB^04DNkH-|1?JzT=P%NAZ~!=TZiv@5cZLHFa$!
zG9~yYXU*Z%lPD%+M%P{PjN>neuB%R$vf=9&qGM7s^(Jx`Qfb+G2R@{z_sD&zcLwSG
zmSMDo-DsfPm&io)Bk>&4XxWGZC!Z1VN3<@{G}<nXi9|~Q&50zu)-u_p`^x9}vm>WY
zpW(TD5}TtyJVB1$Kb9QzqoX;?fI_dQl*|2a;s7SmvJoTkYm9iWF42U-)Qm_>&{5%6
z<zDeoQu~U#upA_32Y*S<=5QBcv<son6=ylV3q%~mG+MS@==FReq9<6Fh`TT!5{Z@$
zTDiIgDjxy>?eqF8h`P>1-IYYeQ2nBXqNd*oqH>AqKMc=pHH;_mO}32{a4gYSo$b<C
zizq6IqTHcJ;#i#6SX6hGh)aESiKgM6$FAi+08?+RsS(AM;Rt0>J8O2ucA|RYH<+kf
zlBi^MXu%*+KQ~IEN?~-Cv`VZP*4Wjn-!$3n4so&t16`%jRck0FPDZY%KHq1X{m4fb
z5r_4<MAK-^VHv?yb9HZP-m2_%N=c2o|Gi2{ho4GGUe>(@yGO+&xw}n$Bz}{rzayzn
zqk11ZqbDTw|LML5N26u4<lU5_?px&UK625Ar%BD1UirIf4A}Yx;z`zbRO<Vh^=*Md
X&jqnB86aZgUY9$l*VMA)ROs~&t=08<

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_multi_store_load.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_multi_store_load.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..429ac9fd61a5f323fbd70d1aa6d60c0a7b47e8f0
GIT binary patch
literal 2912
zcmcguYe-XJ7=F+3wlwLqW(^ZJe`uE7G>M|3DVAo^1)M}lX&1w76hY9UeoRoJA~TSn
zUzt!zL`Xyqv5*ok_(LRr%pYEI8buU|6cnuWzGpjU`@VCwpMCJobN0#eK9|?;bK?EW
zM<OJGvVuVX0bl+eowm13102F<Dg&&W+LiyjujooingR9!*fQH~U`x)s(cjgVi<Rdy
z7L4|^Htr>)ZZR1Axd<R8CcP385|RYLkb0nY@*M3YiXrs28GuTBr&4gKhm5`(8^GS=
zQVStdhk{X`G0W~O#}2j*<0b3P7a{aS(U2;v`A|>j*eQj0e?{a{M5WU3F24STcn>sk
zylseH;gO__krs3y%$JY}(KHKi0nw;5h;_Md332TnT|~2#v0!2mJpzaZM8ai~%?>@Q
zpU!P()J5H&%trKRoGSLNC#P-(IHxMmDVIkAzwdUayW$cdKKlr89Q#pe5Uac!WW;%0
zL^JqnFfwvTL2ROdQI`5FSg6woc8Z<Fk?-W(j~$$IF3h4%&Z2~Mju5SL0B-C?rOCqa
zI)xB#ebGh4ECLfMVgvDy$|4&?MMUJMv*@(WA|BnyBaVj!vWI@o!#Yf*(}Nz`e={C7
zFdnKr1S@r#z)qz|iAtlmxY|I9zh!fZJJCZodT1J6VignO93l=Q8kGjIcfN-ZPw*aw
z5Y3Wltd~WM^6&yAASAb(h4ueok*<6GxS4E}GnwNuard-3@-dUI_M>q!QFRG9)afa9
zik(UMYI5+8#Af2i$4uHVlU2httb>HOfQawVIVw#iuX4r+G25q$XqHw@23bT;x_Yt*
zQO7&DaYGE}BSKOnDQ6+GlN_~E#O$O*?QCP(gwHhEze<Xp&jSqL3zg=SdF|aKr*VZ#
zqYcyO!Zem<?sI7%@$fz6h!7WYsNMgYup!i>{MBnxsv3VxDP8357Drc>-DUKcr4{A5
zTuQ0LKD?GG525>U^8&zS{EABBUW0eD?A{>jp3A7Xw;a#is582uDdJuxsNo7$1c%sX
z+*#xhd&;dNq}F<po5_AuTZU7fJ|wYfX(p~Aq62$UX;jsEx5%o-I8|k+s-I?JsV$}|
z3Dm(9EV3%@7HyBKrOZNF0x3FL@D`Pp4}Q^VSwuu-7BpI_yjx{0)0`HUqNRF_(-LPE
zl0U`Ep>mwK|FY|FZ$|EEgX1dq^U8lT2N6->uASp%KOy!N=pve>wEZ0{qDS=}osZH%
ziJywg{n!KQ^!X0g$%ix4>{*H2y=*5!{20Yu$M-_n_bJZzX7qiMW~llh<NNuhINSr+
eX*)`y(zuj=xSqH#j&s~6@t5HU9#wY(0RI35f;a~N

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_single_load_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_single_load_store.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..14e1cbd952800b308969906516028b4a0cc93370
GIT binary patch
literal 5780
zcmeI0Ur1AN6vxlK+w?MX-2!zckuRmS1kGiE*47}%uqbGhBdH0CNFs)kxgxGe4?Xo1
zVG~mtGs1@<QBYHidJ}}CP_YbxAV-nQ2&0E}&Ry5-cdtnghA+P#oN>p-=X>s#oj<#;
zUkvq&U<U1^QUC(JNgki|j<nn0C|*-YQ1-62d@#PN{Xm`s2LarH9yhpiX0DGuh;PN%
zHYGd8x?R1mh!hi3sr&?hXtq2OOeTvUNY?t(4|mdMW-(14zhZ;K_?|-Jl7>pJLjiE*
zc(xFk6dYqya;(sM2o)y!HU>+lded~XC|QM~@hH(zDVOrz-eCg|QYj31J0o`}@19$_
zyeE)eugG%2`OE0QpL~f-#2rXXSU?Ru(en099ud#A{*CB!utY@wNy6MPJDX~@dYyS`
z3$(VKX$f@r`QZ+52e<>=fi-b}I==%u|0qr@3Vr7nhfMpa^Vhbpoj(#%XNg@d$em|9
z|C-ze7v&D94$$wpER@-e3|p5o{FSz@=pOt%XK!8g-L6PTk>O_$cRJdQw2kW@i1RA3
z#z>4VDzYG7@*0UFn4=HZAqqo|4dJ9p+`KH&F34YsSYjuwv)Wm@7D_1h$t*YY)eX-4
z3sl|J!)$d&7qPniv?-q5%T_lL8?V}+8PzBZ#1qegM7(i(St9m}>S~s#tV2lpNPrzk
zJKBawiuX|QDek5edbcct;cw(tUtH&wzuPrnSJ18JyLE1%V*1~JWX&iFC8VsW@^a!1
za0j>p+=10|fI9gT?BpKovlNEe;hbrv*%5fj&W-_ltk5^D$m{2PV@tE6LVIp8hs4h~
zHz@S8L7WXQ&}_JWlbsE|X>B&d@F`68v|qiu<s|OF|8#(=>DP+Yv`?XGG7T83si_OA
zDRHXQSWT7JGJC0^J{#`#6ES*mS)yHr$@eT#$;C3)j!C;nKO1$T5_JIzgOc+|f|M5O
zbV`-6Ld<=G3@4MU61g#)mAk$ZKtuSux>IjrJ3&(yc7iI}5<fm>IzdI}3b}tkr5ene
a!jOCUr((*zu~?UT6@D3x;o=$m0q`69%l6>_

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_stats.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_tcp_stats.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..35be732dcb911f25324c768676a9f88185b367e4
GIT binary patch
literal 3942
zcmai1U1%It6u!IpX_}<%rZF}|LEG5c8XL0H+06z8V<8Vp=}*8u6w5G~x!WB&`{T@=
zq-hW~2u7nt6nro?Mx}z(3ext)(xO;Ip(qIc^ueE&pe>3ImbQ<^bMDODojbc52W~pq
z{ra8neCM8XZ@#~L_Psc1CgNFHAtVOBY#IOcnf{+!$X<BI)kYrv<+1H&E-F(`cC?W(
zLPo#Mj*`(<=ltg%Ufc?6+tt2-EAyp)enX~D;wvkiR|$zXx15hPHMPWIZS7AT&fdoF
zn&UqE+#fCEY4{zN;Kdl6{c#9Do@m|u05W5Qfh$-0x@O*NhX~i+-T2&t{l|Uw=6G9s
zY}55OkR2keLESF_^KM|pRij(IJcqiUUyA6y2J9W>M55>10dOGDi_C&C2W+@%7!Rp4
z$k_Q}UB=!-&+_jwV>w2e+JFh3_1tX#z4G%Yoz^D|jQesZlNygy_7-~d&54Ld9rLAI
zt>pw+{^GD7SNJ0s4?!ecHH>@M0%v4(8GFg{XhLS3#jPTq%6n`;L~2}xgImzEznW#w
zZnZ)c`gs+)WzUdt9^8PG_^PSGK5_~fM{{)<p$dB^WyW$RX$qt_k+?{L5O7}vGvQNQ
zHAWp|Z*!xph*AAu{pK<lb^Eo5Q4lO>vi54Q*Z_vDmKzgnY}utBF~Jx1M-to&mW_dB
z-DiKQBzQ+`+*g26l)J{VJ)6!U<Bn(RGWI6Al~Xb!Y^v%b%!5zRFN}1dh42;itK|$k
ziGF>(G2+)4_%(ulo!&0_b!RqFDNb|c4I-5+GYQ|d1~RH8gb%zDv+^{V*|kd<0Zd>w
zv{*<fN2uzMk{(vl$h0P4S{Fu5QpdH5h2)?*sHgx6nw9i~LAEtPCuxBxgF}N#a;MAm
z37Z1AGhmeBmWoz^QAcyF<1~$w9RaF4OzC*8euQeCOC5D^h(7>b7eJ-x0o0v#8O^5#
z)fA!uEGo1y%xid#qZ!3Qff@|*a+8Sc3TW>MBUzE@wggo(fb9veo5I*Cq2@BjGnnU4
zH;Ja!wE(`P&LlOptm!H!Kv>@{k>*Y92xSTn+YsRbBBcPw+CW$hN7nY-97bt~U`5a1
z2vOaRuny3m<t*kVM=(r#5JuW>2+3QnOWjl&FrrLS-A!s!Mgthi5p|dLTY$oN3fe6|
zQaGz%I04ZxU_@S$YL4MFsHiTDNh>sAdn6i;;WSuHk-P*kbT^chuyAeILWCd*hH1z#
zp_`Ms-4McyRACYON;1!f_=N~(By9=ZV>!*pn_Ns?UpRs~PSKGBSLYCHfr)8GUCp7o
znH)(DXV4r`b*Ybi+>~Q6MhnT2^st%&==xw2-5WN^w(=HiBmEfvKk4D*P$t6%#D)MZ
z3D6CL!jvl<;VtT-05~W4Bek(@!B{A0rsd*LGPQ!2M{7hswS^V1946%YLkTDOtE-+u
zvo@X?pIwNY86#aY3zy1?4L3h_<TFDsF2NCtD|$A>UuTPWHe7jBJ{uM;iL+txEBS2j
z^Obr7N0BydQQI$Y-65FM-JDh`PQetmVQ||?Y!R_9C6_sp*CVB<N(MVp3`=ROa-8LA
z^jJwRm{1k;xb7a!>$Y7qw5)E~e0RY)$seg-cti+?dqwDyv&1oO!MyhexY)+h!0`t-
z2l*4Su5wUpIj}FhLY6WkM@>{-A313mEQ%DfM`|&ONIYE{HlafeTZbdMaWuoxr)(&Y
zgcOI5)HedjGu0pk<LD~9w&OAI9(c1*hX5JW0R9PG5OBMmShWGR?!X4P@88-6SnPua
z`1_;ajtqa1RIXvj*!UXuCEVjjTW7qwjJ*l+$aj^Nx{DXPvgl*XKwNX+_5Zbhuni-f
zB#}r5x@JIoSAv{gmLnnK&Kp(j(dH$4*gO0pT#}o2u@9Pe94~g6AEf5JJG+YZeGn-P
zdElzKtZu)59JN1mJ)(Uaz+^wTkXrB^c>iYg5?!NLWlLP|Ttu(J^>&fvPjAS2(E(&^
Ptn1HfsO#YPYP$XdT(V{t

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_counter_ops.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b73c376f90a5ef0c8defd3fecfe5ec335a2e1769
GIT binary patch
literal 352
zcmca|c+)~A1{MYw`2U}Qff2~jH@+WgyPA(749Esy4hHqR)*5T}7?nG6b1=9vFnHWa
zXJBv;T(aQ6ian}8toCz)_Gt!_hH$WUMux%$K?Y_Hh_O6iF$fz(GJ%NXyb=SDE!Vg5
zF(d-{AdF#4u<$mJExGO}w%C^>fXx8eBFexl0y2()K^$T(gaakPHi6jxfdFVD$if?V
hExfM`vT)%|Gz+5`n1QB%EEGes5F~~QSYceKg#hyVOsfC@

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_delete.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a375a7d67c9dd84da4a0b9f588ea057548806478
GIT binary patch
literal 221
zcmca|c+)~A1{MYw`2U}Qff2}=qH;g9Se}C+0>}no4hHqR)*5T}7?nG6b1=9vFnC#g
zXJBv;bmKp;Vvi~itKFTTeVV~c*AlE9Xhee`12YH2SU#{AgbgRNQ!5jbl0o)xC~z?N
p0>wcX!yfxnp&)y<?MAUjdxj(f6HqzG9uWp+sG-bYF(?OUJ^+e0EVlpv

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_multi_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_multi_store.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6db50f7dd158255f1e70158c3d47ddd911e7be61
GIT binary patch
literal 454
zcmca|c+)~A1{MYw`2U}Qff2}=qjEnqWFsd-9FPsd91QArtu@x{F)DZD=3sDTU<kNp
z#lYYoxajDC6?;^HSnXl3_Gtzik!-Mbpb-s%3``slV@1GX5H_65Hco~EkZl)sb24NA
zWkDFjwx}H%AlpuyMX}9IH<f`2s2tTcIj|Vq9tb1bC<zMy*?SRa?+&0M5XP`~l@ZXZ
g4uXD(DE3bK@5aCkRE}zI9#{-w9h}TIOr!$<0D;|f5dZ)H

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_single_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_bin_udp_single_store.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..25ab8e29a931b52b0b12cb82ba8c24d300417e9d
GIT binary patch
literal 1154
zcmca|c+)~A1{MYw`2U}Qff2~b*0>*9)yK{d1(X6|4hHqR)*5T}7?nG6b1=9vu=sHB
zFfcd>mi#!dVvi~itNmN8eVWDM`fjjxpb-s%3>+L_V_5{iVlXS9bV+J)Nqlx{W#T9p
M4S~@R7_lJ$06qnu>i_@%

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_counter_ops.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cf9c7ebaf41ce88f28221dbcb5f17c7c94bbf835
GIT binary patch
literal 1778
zcmaKsUuaTs6vuy8-E@X@m(vMRUV^nX36>c_CApQOQe63G6h#m=$`@hgS`P(6Z#}eL
zg1rRw5G?3nEQ1&_DhDkt3>Izqk}reuF^4@Y3_Is{@6G-0y(%2=a^Z8nzt8WS`?a|6
z!az(!`867ZaPVM?mJ`8wjzr);mWA|xKRNKa;GG`cWg$UA0<&8I66l;8ct2O@gF0BU
zd&Fe<%{r3i4UNXn6d?vvN1ihpJ2=i_J%6p*iSJAXiT+`cBNyNqOW|S<N<Re+$mz}z
zH<Gb~M=aTGrTxF4!^ZPHlfuJi65V95Sh?QyC8R?qGv-F}2vD&!xqZI}F?Xo0%Dn;f
zYL4d}_9-wR=S8wYi~|izLmUmSAh8zKCAxUWt0k6rXCf;k(^<hQ3<*bU)*+h}dwkrH
zTI0hfj-ijc-&8)T;G>e`$>xElQV+$2LTqhVyhw?wx<nV*Jp6<u#^Phq;8|@}jSpYu
zG5T1YRr#oZ;caU8D(geZ+IrS(i%2|rLzf7KA4OSWDxJ(oiko?1W^rz{vvyp(L`{5A
znb-!mwH%oEaho;am7v8P7p9f4(1(#{I922tNT^c@VKy>KKw@hN#ZO3l5Yr`sgqd^y
ziDn#wn-j8xW6iv6Bt)r%HI;;VvYaO<p>mm#V3w!0y@cgDM!rADM$QwE(4Z1v&*fdC
zkrfFcxF;-)R{!UFNSuDDO9Tnyhgjk*Y1f(tt^gKGvtl7JMhz5H1{z?X3k@Xvtby_2
za3Ux#vb4s*h`b-mZAatGbv(o071bHKY$dl7tn}FTv1dRlNQC>PrLl6t*pEd2A6=r0
z@A2$qiIY>QtfZuUQXzv};jN0hn<njsq)wKrBvrn?8p%E}uD5G$CrIXV-S8b7WhJYL
XnzQ@1-eJZ_T9uK9jJ?#RgU$F4ekCUR

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_delete.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c9ab73881eaa6bafc404b426fe71332671f7d426
GIT binary patch
literal 1507
zcmaKrPiWIn7{FiBw96ucY&bd)v1mJmU8XAxtHoLtoPU_Ib>e0ITf-*PLuo|TQ`tdp
zIeG9PxS^;A4>E_l3^x^4rNRyqSH+geU;{y&mw_Ow-}kcDk(Zd34;l);@5e9ieSAAP
zArgtOPqj*j01s+!rT^lvkMzKA9GUDdA35-B=FqL<J7l5}l32W#Ac??@vAL%+5t!Ce
zu&vm7SA2=2=VG<`c#;rN@=pmqpI;DU<>WwUAO0ta7TurqkyG%D!??JE(vQLdax9SC
zgJj&$RxAZ8?^E-zVS2nN6Y3na=#nTaLh#Ed(qU5_dIx}<1S*chJNjV*y^VIxdm8A4
zys9=AVo+eq7s-rx9%wiYV)xexB&IX2#1^&r$A+Dl)s4`IJ{oF=Z%2c2<?3LA!nQDP
zN0F%c3X8lL=86=cNHMRHl}{I}EvyC->pUBqvy^zrmDoa7zV+FOeW|m(T9@UDWajE9
z5?#N8Mb16oiWH&o0&TpzRwT?CBk}*IE${@1F~gMzjemZ(6Vv*2-Ow@fw(n_pdpM4^
zadVEA7~o1QK-;A}lz7;0D-rI}&S)u?LiS8CwiCr?n>g_$NKv9GWV<-NHY74xN8GqX
ziE+i12r2$<+KEHfakDxg`UEt<adbFrzNQ^6a~(?1VHrCl-_<(g;Kqfuo~`3h@7dt~
zZEWypoHJgA24!q8|Ho#W!v;v~21y)8gV^U^NE|xoN`wZL?JF071D4C&yk=MdyiMz~
z$nBisxU1B(5lnyAOevR{va8@o8a3b0q-ic`8IrE$8{yjSwIz)pQSq!9NulGeMb2>z
L94oZuy4~>~p>@8{

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_multi_store_load.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_multi_store_load.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..787fd01398b79ddc4d3a678e56e1746a8d8cbf1e
GIT binary patch
literal 2101
zcmchYUr19?9LLZ8xYlCxE>PDW=u(t{1lw8!CAckDuEJ4HDM+FsRt!>cQT8+g2SE@)
ze_Ri3Jtd`^iD-q$BG@pC6oiZ@u)Qf5y%m(}_dEAq>zup!(1UmUV3&>0?|VMych8-9
zJ@iOR^hCJ|1wu4%^W)f;=9zLr8sR&ZkyL-)zq5bLdBwBNNPL92PsiNEZJ4{0=^NV)
zwPV&=GijMfy+_iZwoqu#5u(+X4Qq6|GL6P)@}GK@#ozQ=iC(vnki&3~rEswarPo3O
zQfKgPK{9rznVhxuEH(^4hpFWH4zca4MAvJLCQa3}4(ZTo4d!+O*$Y%GRc@E(JLWFz
z;c`y_Jrxy%ioy#pAm>H0LTm*ZmWmiiW{{XXQj};DDylpzvGaUH4DS~0@NwA9rgO`e
z*`zd6;;Y2C;sYqAuZt6t0x=6wf#faIQZq#g5<M%bj;AQGy(rN}@*Cc=#HL{2xUXKy
ziex3LN{nmx1B$sB;KVF|>Jh5?9xF!48UoE&D&omeSiReDBUqFOs_na2B313As-2+v
zY?15lLP}3#JWUm~af(JP6KNreiW2{;=<X+6&{J-9(gG+Nr;08tFDR!>qZgz<2R&FS
zMNjgTNNjz;Dw2ty=+_CBNEJEcX#_`SR^gJI<2qJwK1iKk;+&6z^B8q5GR|}VjwO;y
zkLAZ(Xee}_GZX{oS#-WM&l<w9JOIQX_{LH>Ke*S0#I<upiQqgq$`V6x0$dft4l(S+
zlb}oTfjxc$A4~P%e~UjuACF&hKC<AW7k%7rVturDjyC(S2c9ykwy$zmeB??$aPpt<
z2;>hyU!#1opp4R6XeTJ#TFnXX?OF79!xok=ZDWPw7S;o?0n}otws7CiH%L6xQj};D
z$}6|B#E#1sBht1Zw{+6XHRMM7IqpN6)Cx&Avs@*qLR1ZcD?UUYj0igj{%#nAMAS<1
iW>_G;z~nbTjwh<t?&_S!jPGi>j0wnio!Z>QX8Z&9E}tp@

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_single_load_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_single_load_store.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b1841cb021f9f673c1c3796a71a32a8f24bdaa64
GIT binary patch
literal 5695
zcmeI0-%C?r7{}jpw&_@m9b?k&HZQEei$o3)6*Nbq7Gl4&ZYoI_QeKp8A+lhH13^?*
zdJ&aH(oKPgx}&vUX+P9NVHpv-$ks&(+8+?pi}gI)j-B_M%`O!@8xQO-_`Kiud(QJd
zU(T2JqXR5468V$M5yHU5@6+E~AI@4yGyKLflRb-v_6{Z*x*K<xiI))f0iT<=E6krK
zUnFXwcBgH1b7E>NilkvSm#eiB!WvByV=$N)#%%Fj=<UV-jO;)93Ao0RxwuB2ei#-Y
zM=Cr{B;yKob7`AhjI6>6v1dEGT>C&I(v7Uy!t9#&Astq#ly!T6ilx!bznnnb4?0x3
zV?bXMIIj9l8XPF<MKTf}ffFkxk}oyU^es|@#5)(u5pVsVi2;Am74!#!ZJqueS3P_i
z>iPXv%VqteJD@wDJD@wTH5`yn{t=j1Sn89XeI7~T$$xj1KKbMA`B~!Ns@o>%lYeXM
zOINWi9I#sC2Ure6nwZ6hM=@r-3&I1ej9F`9D&8(|B>S<c@BqsZ3yF^*3~fM+<cR?-
zF}Wac3^z4hnpi#xhNV35YDuDl;Xb{kiDz3*p79<n>|Uu=-M)mMxq<E5Bhl@fT(FCh
z0i)pf>-F~SlcOLKPeHK6(hxoOvq+RMwkkq#kq8GuO$$xzP(;Ck;(p-AAZlW%@0V#X
zJceE*va}bHK};nx0(kKO<2!`c;{ED7*VxqRRfbJHYHo|(*Egv<pgXX64&a=`lU$yY
znn}UOJvb?D|5Qzij9rX|1kScRa*3W4NPGgsB?zKe>e;}i!{ay`Cg$nc5Dm$*VR@0B
z4V&kVzOwGXe;lw{yv@Z7hfjU^KI(L0AAPOV_EEwKeY7$JFC>ev^VTyQ5|2ZE!_su-
z!O(RiP7RkNIyf>tKoh%eUI`Ym+r~=&97C=zqvHOui=ecMBSZZ(7d!r`V(;pXCw%x-
rJ{e!5J3irrj$ab07%q8_?szp(vv+>>JZkJtsWdKuMi;o5Q)~PSMVTY%

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_stats.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_tcp_stats.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cec7be1e83c7eec183eff3368832b24ea1d4d078
GIT binary patch
literal 2668
zcmaKtK};NF6vsbcw<TE8g;0gqq?4FhTV!E}Sy&VmiX^mRo3ylvP%@dF{gxe>o!!p&
z4O={MDTyZH#p52@8m$MTO<Q|V4o%vN!HdS2CXJei;o?CLRC~ksX6BpSnFV+ACA;tY
z-tWEl|K7a$>A~&m%_K&|XJ?0yCirvs+^-itj>pLv_>HTT9Q)<fm%dn+E91|!l1W0w
z9=DE>v3>c@`=75Lh4td2p5BfA*MCnU=~na3&PNvsX^zG3Hnp_Go0?kNPR*a4#l2Xw
zM?aB>lhg1Ym*8Rymp%#s$Q%1k9zilj=-qhKb3>cB3K9CRbzYVVPds|8xwWn7x!)9|
zL!|wfcQ24n0u@(7-pY4X%)9bIB=3HpudXB#hn{{93i$aVSrDNdf~$czb>K@RDs)$3
zcjC~I_rpX+xwJ@^r2+U3wzp|ny}b>iyj+)egCa`xHY)Ndk0`PVicG8|$mae(y(mHr
zLEKy8>K&K3xGS-nY<6yiiRWj|o|}BLG1mq~l*d<55qdqM$OLG-=4$*^pvauixDTp-
z3-ra+Kz!}gw@CaqyDJeiPJR|9E_fPy$s&3Vu(%q8eY<+smEoO;3~M0l^a{wZ@j^(3
zxr^h|7bg7+6xTO-#@7Wy?cIB$x3G#>B~ryS=yDTu>3X^rt^)5c2}E&+4Z4he^CJ>h
zr*|cGC%Qga3=<jGIFmeCko*uHeOyslV)v?Fqb%3{ipX*kWSK!(9()*<<^0U}j8ryq
zQmVbp{q2;wQKV8TGdL)NPOi<fD9V65G%TmnzIBP(%qUq>Dybx8#W$KpmM&3?OLB4`
zDX01%^Q=kz&2q`GIJH$~yho)W;bJ>XTcE1Ls4XeU0r%rO_*-n5aaxqpNhOWD{-*BO
zwyKvbi|QQmU{Xr#@DkU|@Rl+xyaET6aof?kV^eSy<-;FpFVUQu&oN0BK)sk#u{Y%!
z1}r!c<h1a_GkMct1*zVPmmIxj0ft&I;3`ui!VOJDgE2@VJ>=(@qbB84m<7(ay8d#;
zKWbRIEe?tjU7L5TMywsH@xbOC6Upcr6EJZKP41z3LsrWzX=YHUTV(i@XYvaZuA0LO
zD(J)lPuD_iyJXjF*=0_dYEuoGawIjB5jA-BifwRCq3cG{=|Rz;rcpFNM(v7wMj9GU
z4P-JwgK4@>p{uP0w<SP)Upv!)wzAZm!LUbjs^t`e#CQP{V3KH3>@#)Qpk`h21&tNd
za;X9xZ9>zVQc9%i?s&PRWkt@2+j8v&Q|XnmX5}EGAYM^3&62L>HN%W3A%VMi<lL4w
z;8|#BcF$PrMu=e8P?KZjDc1`$7et~<hR*liai1h{VK&uG4aPyuTer1}2?g)H<7T2l
zNPV%+&$Jy5wSiwA>hyPl`P=`$^LJ|<r{(Osk!d+|Lz_Cjk~sMH_OW1EUJ~!6CmnGz
z1uqU<4fFSvAAUw+>GZC|?gTmTY?yf2F}OE<{{imaZ;I!)kb87I!ku+9?MRUAM3{?j
zio;zsVsxGprFzeO&6UIReCjyN^SPA{vf0uXn&+30Xx9-NYFGYf#~kN-B00`Mjwe9P
Mo$Z4`j`OJIe^Rg((f|Me

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_counter_ops.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_counter_ops.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..bd7edd98bb5fcf5d6cb6ab6d58d167caf1778744
GIT binary patch
literal 288
zcmca|c+)~A1{MYw`2U}Qff2~jHohO)a)p<{2gn9t4hHqR)*5T}7?nG6b1=9vFxXAH
z!oc7l_|Epgian}8toHY}_Gt#K6{cYAKqHD%OB9mxN)(I~3=|9%^74yP3vw!XxeR!@
zKxTgcn(YQO7lbj)wusLGnXR}6#cY+2^$biv<v_DD^OB38hQkd8nfej0saI`5rmnt)
UYU;NZ24;w<DXCCXO%cuo0Ei+~H2?qr

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_delete.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_delete.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..dc297e2fc9a87fb269e2163ccaa700baa1e8c5d3
GIT binary patch
literal 204
zcmca|c+)~A1{MYw`2U}Qff2}=pmINSM<hFgACL{g91QArtu@x{F)DZD=3sDTU~t%$
z4<rOnEjX}Zk17zWJ@V8(&7cz!0oD#QqBylgAv?8F!2k%274q_nQVVh_dASmkl6kp6
urYEGZGq?dw24M`-Egr7{nLalg#dMW@><mmm<v`O@Qgc#EQo$C$jRpY0kT|RW

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_multi_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_multi_store.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c01a8b6c5b4787f44e5d90284d204733f9651af4
GIT binary patch
literal 428
zcmca|c+)~A1{MYw`2U}Qff2}=p>jX;`D+e_P#_zGIT+OMT5GJ?V^r?Q&B5Txz~C-7
znSsGUFsbaoian}8toG!g_Gt!Vzh<y@#xD%TsU-^8#tH^NXlS62mtT}xkW<Oal?(^G
zTp&y2-f%F)11$hy3`+ucvw|!+`V++x+w^t@CZKYdB}QONjF2oz!U7=HSpluv0MrY@
i7}hOn_5)e>Hy*{hzBy_P%t+Q5Lj8nfUm_g<FBbqrGKabV

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_single_store.pcap b/packages/endace/_dev/deploy/docker/pcaps/memcache_text_udp_single_store.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..64ea99763f0ba3957aa4d3c78d5f61afbb501b32
GIT binary patch
literal 1147
zcmca|c+)~A1{MYw`2U}Qff2|_*SH_bwv&w^7$^n891QArtu@x{F)DZD=3sDTU~%1&
z#lYYocw)hU6?;^HSnZ>}_GuQw$E(2F8JQW1Q%e*|Qj1ICvr{V-41mzkz{o@)FTW_Y
WAg7X-D{&NzhQMeDjMxz1<pKa{=cSMU

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongo_3.0_session.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongo_3.0_session.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8402939917aee7619527f56c81759971c372be3b
GIT binary patch
literal 12090
zcmds7ZE#f889uuSBoMm|egsP!Qc5eUVhjvcY{$w3sai}N8-tYwbV+XH;$}DO2Lzl3
zMCue#T52_62?)4;0M&FvD<U|fRz*Rvii#n8DN>4{XvGhHNZ;qZ=WOm-?!ChhQ^%f}
zcXo5{-DjWkKF|A}b8mL*bB`|fi(H|`v13B`=nr$&!s_DFg}9C0BkUtzj1i(KxN(#i
z)%&!+&!P_?)=f6&rQ6@h2?%q;>@y3+S7AEn%kL|i%g-0heTH005cv{jYo7HcVZ;-q
zKdx=4<3Eql7)bAYVKbf>9Sw(#+JqU6#N~$$U&5@)N`x3l6cP3TR=&biD_AYBP^`>(
z>n4K{F}n<`j?q*lt1>X_BnYrV08lZcw>)rcEk#akG8T`<#J%+XRMX;%3;aZH0KH~r
zQkqRZx897!6Xl^q?PPHSU71rR&gKt>8Vqp?y^B#2LdjStl8B3(XrnddUUY)49VUj-
zi$8*Ezf14pGvW!Oq124j8BNA<m(vuYH{o+MWVWg(Tjlg8!ai8T5y6*O!!K2~q=uIT
z#FRy|3rWMEmaVcW<cfcE_`O{5G9y0bh^V<@^f=0Y8C=mv5<6K}fYlFo_`O`Qh+T1|
zVr98v$|7>beBBjbHF_Le0al3rH&-BA6_hOxS8QSpKUdk3u9zPXHzjpfSlNmZ;(eP7
z#B9nI!amq%vEXJ#T<eGkSJW$?jeQdN{{=zxl`zT`p}Gb$qBo2FbcxT5SA?i2V)AnG
zJ^1u_r9kA8bO`%kKA)vh><2^fvHWmTlKk)z_pSqWK4YJJmLR|f;pT^>bS~eFH&|qR
zg$<#m@_00I)ubuZ#;VMj2A!t{MTaYlcsz8Yfn((}sBs7p?)2ltwJ|ecaHrtw_verU
z!_nGM_!^Vyzk1tsqblj!`ARcpj5A_!YL9}hqGM*{TH7)HE_*LPPF|&)c&PpgYji~A
zM5_K$K!h*URfk4np9JFaw+h5F^j!%1;4H5RzRHM6M?|RpU?$7!fJoPg0tus3&-7J3
zjuqlMdgnJIaU+&Eu6^d#MQf7{20G~wx{O+F3BBZ9PYt_z;jGxOo#%a;d)L_B{*ds~
z@ktc<(O8`kGwMiIOz6w^3dBr0jIa-$P&l=iZS$d;kY$_jh3WQ=%h@(JWG3_!O=#Un
zg203jZnmK{Ruqy_IA0jy7iO~mK!I3D#}M|xOl}Qs;nb!T6HBa)%So&#GnuY2dFm>H
zz*>Xhp4zkN?D6&FtB=O2CL7@}f0|boq-x9uo)y-{sj5{3WvZf-s+Oz@L#m!ag@GW#
zEmb{UVH3JrVf|*G;#Fa<v1p&DoJi4H0-|A9R)sx}oFpmBhZgv}D(s((7;{9_Dy-rd
z5a~Mc9SRJ08=QQFC1r)>Iae4awCRsNuL@hjwmGOKWZ9-+Sh{_CkzQe#P{lD+7$$^p
zvyD@Qfyw=U@_C8%I;ZxqVq%H4y@<pzb+IfaKzz8x=T)<BFyb;tM2MBC*-C-Ap=JXV
z817=7aLs~XpH`pOs<@PsA5sKm@=Z#<q1P-3RtnTC2qN5)-{UpgxThPdB69Ljspnp3
zD~pzC`O*ePKt#^fZBR*fI+db{5a%As^V%W5$%rdemNi7!fcmU;hjKOTMJok%$k_U0
zxZ7YLoprx&0;};K<$3Lp?`7?OsaRRsN6sbfS3>))`zEluns>-xg>cjU+j`%GY&BE1
z%4u#0`{3nwMDQ)vFw>@_hARUiny0(M%GOLmtURxmNDvglJ{Yk+_%<VA4`jQW-fkhn
z72}mFs)~{S;RI1AVKi6R?<UpP@XaJR>?96tBp1Ryz`?g5wG14Vy{I@?9*E|V2ez{Z
z=GZw@6^|zra6mYD0K4T93c3F>AAaMvgYKI4vkP1NlZ2m+*J`K3H_Owl&Zk@C=|ysF
z$@+9ko=(Zrbvk&PJiXXIjlY|2IBe9SRiD+Y9rE$Ymcx$U9lb`L{<v#hvwyl;p8mw~
zw9~%R_UTy;izc*suC$kz1GlkX4$RX1vOORgL%IXum#ShQUO&8-*YflZBc>b?wdKh|
z#PZaS0z-44_B`i=mnRT>h6sAxv@Hk0<r5V_%bty)bbIGH`toEEe3poTAi~L>IM(CK
z)7~T9Se}rRxf?xg(7~eZS2?j7QRg`UF?Dd34Tiu5zbC|!QN6ty(RN0B+!0Z0L=z4I
z5sm0n3JlE#_C|zi$89P%B5*iD9G;^C2>ak>_;_jsE4@^4u#}!Un3S$zrB|v(1P&7p
z-a-)IfKW=m^3I(X<7+YS)g=_N5rx0@R)Q&QDevu7ubrIMeQHWls2UO~tqWyM35Xjn
z?d?^sI~egEM?|e&EkxAoX%rZmP$yTfAXq%6w^zO1$12t+f>OmaskmCNSBoI(6$BAV
zMS7bVIM(C!`lCVPPyQhba^ipA(*`?Pw7n`P(gv#oB37SegU{jYI|=d1i*m*9XzmF6
z;97|WcQN8aj)<^9t*RAcF%W-F5T{ER%?3{Oik*Geng%j&j?NWnI*PClCUZ|J&649j
zlXo$e<gt2^d>>1GdxlJ#Xf_s4A_$N{I7yBIE}`&vf@44Ju#$rF7sR=oP!RUPoJRzA
za{}L0oTViDNRo}ZBnCLQ0Wmrz*Q+x3Fyfyb5w*&+5K)<DNMf2KCs&yuxP}ONtfcp|
zOyd<nDbvPu`;H6r%CrbRD+z+6lT81U%G`BHH!2f3xqFYN4c=wZcB`CNHrR1NK*Vp)
zvcUteK`SAOnLe?Na)PiAHrC6*_ZaaCM?~1*X;lo3LxFe?K@>?CcN;X)75-#nT_|z<
ze~)sl<8d*HE~1B@Bk?ko@6Tlw-$)0NSqJhPlHr6&k3y4;{7{wDv^^EYJdfVu6YB{J
zVIMrtM^X>4o0hA2T5gKpPHx)7ZdzfVXX8*jTg5yPZf+V!=enMXRz&N}dXpZ~V#tT2
zG*_^tgV<uyWC!6K|6>eSWm-n->P_d@Y&q@u`{@|wGI);XQ=h%8*-kYV>4HrGk;v6u
z0L>bQ0&&e>JfHf!&xi{g5w&K}SPDcm1N>hD!`%fZysZYoyt_T0`aH<;{YDYA<V)nH
z+jkDon*kFnMKb_FgqwUlzDy69(v4<-oD>fCeCo50Me9^Kv23t&0NLP$EE|j@(Mp#Q
z;+&Mv>#5Jb7_r3>5jMy?^_l(^5HF?do=Jh>Zi9hz*8QmuSnXNj^Lpy@5Nm(2VkNbI
zfwZ3p?Yo}(fYtP`I_dks3gM>xS~~Y_{BJq3b<tAK=CGeN>`>W~u9z4Q$rZXQtZY3<
zh|>lO@jPV&VISN&p9ub&5yv?q!WFA2&-@#T=Jm+`tpxEs3FGdH33P?O&IlV$ON4bi
zF3zKisB8WNFWE~3S*pQI$nU|6Z9TxG0`#*0ba8}z@T9`2m29faN@|%Zxq?i!ha1Wb
z_DMCbA4w3H6vE9^*dTVT2Yi_Tli|dqoX#QagPDv79^mwD%S!Ja60AcP4C!rN&xn+m
zg#?AL4@SH-_yHsS!4XmG=FJ;`h;BYW!ng}|!rdGM=Mq7Wt=%e4ezhVfli!hU-&Lk}
zb0)X}-5dlFZprWQZeE-2MmI-Ju7A<f1_xQRw^UB7y4_V45YyVSZ15t9wqXq+o|4;F
zY@nPV?1OF49z4W|nGLjt2pim|EIz*oh&L0&_a%(G4XWu1e?4tsLXo-#Y<XtzzeDXe
zW;s)nMr?+C12>84S8fOSZY}d@H9ulZCrL4xUlsHfn+Y6YA3T|-Q>)oBcc}DOmYLQ@
zma*>BAGJ?rei7Zn@nkR|H_OoDRgp6-6iyoU`#0Nj)C|p>F#TX+Oe_|SS-+GJSkq`L
ziVbevm?ruqm>Ic|em5ciHLm@@33H3m+&ntKhb+`qH8&{~-EU7nOP3x(%`XDt9sT-x
zb%2i;ajqkx)&b`C2O>Ja4=6C)r9a^g0D^~zphpMzE6Z7>2wHMZKa1o%s&@b;*dHAL
z1QBj>_IL-_^kz3Y0CIBgDo-06X3<_(IgvIvN;cS^WrIN^TK~rgamh6~UN-oc5$8A}
z>NZ#bMA)F10^@720SJCU1U+o<Fx%kQilDT?{&f59E3#|=f-7JH5JY@qHaPlrH*A2M
z+*Y0A)eSyj(Oy$Iv23vWihyWZm1P6Y2@v<5?)eb*Ka4or5mC3n7GxPVK!d~hnrtxf
z49|zKkFX7{Rs<~@G_4{Vv}V}=1h>EjAc*+JZ1BjoZrY%@$nzoWr!3m5DkstgtpPD3
zoMi*f$rEIQzn$y(Tj(Q<IL{FgHV9KTc^|)^23f}4T?qw-yA4=_?4J``A3A)A0INB)
z7xefobUSPRQ^m^CenyzI?}YYUcXtaWh~@<~xVr-@gq!x?*1J1oYaM0FW2^8PYq(iu
ROS+;nAZA{!yMnVd;lIvecZmQ1

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongo_one_row.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongo_one_row.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..95fc218e51683bd15c4f3784fddd02f6810adbef
GIT binary patch
literal 752
zcmZ`%L2DCH5dQXUY|<Rs98?NI34$mnb<?EPLxm(wK?*`u;z18_n|-E_)_vi<O;9iP
z(qd8QS<r)jKu|n*6a=B5J(PO!U~hu7HxGgb<ILLNddR@c&YSsm=9_tM_x<Y^0x9&R
z*8?0nEZlxlug{GjBA+!W8O#B9E^n1l9{Ta&A^pI*XVu2$!P>8rjaxITV`oNx-=v_E
z$vWHPv(ENtcalnENqZ!_>A&?NX`=~4#_t$EjBFg`_D9%b4m-r5CJ<|!Jv7WgOrLth
z9FAS=b5I+5miuoWte;yQ%K>MT9L8q_Rhp*?%!Aux4y*M)9Q#Tp-B1DQkN4j+(l_MJ
z%k|T)9|XkHLJ>kNcGOCs!d6VP;CUC2YHDo)oS>}Z;am6o&#msYcTNGHU(J7ix>74c
z*vLp3fk@$sHb&X}f^U}dm9B(%pxR9xNDNW3;FYFnS7K2c-Dxewv8vJGJ&0yUSrtm~
z_NxA}H20Be89$H~`xJ6Lo)^P`A4#BnX{|=1h!_AG92MkjQyc0>2e^eKx^^{N8GvR|
za3_=KXJ6FJ05q=_ZZV1e`1VtA0D3q^my+nCx#tuAqpN-1BaDU!{ksy!$xH5$_mRK8
Vq}vex9u!|Aw<yvbO_fShz#sN_pzHtu

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_create_collection.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_create_collection.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c76614b7f48d34e98188ea76930675e2c13fb81f
GIT binary patch
literal 1760
zcmb7^Pe>F|9LL}6Ztdz}TM0>sBG5}6Jj8aeOR{aW7mM7|E*+-nsZ%pMGBZ*BIV}E3
zv`f$-B+^#8ghr(~)g_`(P_K5<gH(iv4hj)_s=mLsx;iuKLJxk++xLd=@B91welyFT
zr*i=oVmm9uB>d@9&tG{q9%Q}PQv?!IRV>^x(EaDpXoQ_(EEAn>WR3fuznH2zA<^Ax
zwK}}8Xtv7@{Yth*+TVAdF-eM4veZToOU>m@LnVx$wY;^lxn(C4^;VZ<bG<$z>)h&;
z6>b%t!tXxXk(ZB8gRBjEih_%RBjM$$^pd<d^W=m4sKcw(<O6<k*&6n(@Ahsl8$ESU
z(Gg^Ws*NDLi?S{uYXTP(J_7ORj3DsCLm-FDL)jPzTykgahvJ8^a5<)LgyLjLMHkae
zhqw~cZSVibl)QWy50_*5N-&-CFdYKZ6*p7zvgr`h%$A?Mm{QiC$XbT!tRV2+Ltq6=
zC*4d7Sx2BabTY_BkeR~QrQWC`6d#vVB&MU=UCJk^juccX5VSl@>lFQlIRA@v47-40
za@pqW0QNM?XAMo`ime&|LCz|ccIL-7wQ=dSAiVA&Jh`xF)n;Ru+T#4=FR)ZTNs3Pn
zh1eZrqwp!Jl6WVb>5_`{9^5O|+DwY4pkg4X-cmiIvnskXZsC{K#u-tV0~=+U_*NkQ
z>PBwWqKRwnCg#aTGZm&C4zY(wK;diRVDz0(d{9!6nmAD`EKQ0a$0`xD$~Eyg?j_Y~
zlJNmD#nV)x)Ml9J4z6j%6H)XaEN&O=V;`4hL^ts@aD9W;&`sOZO|qD#qUWI)0%QuG
z;%`ZO4V>DNis)wlL08e~Pq5pGpu+d+<{0iGs-+hSmSVbmH(?o>i`Q>rZqsTv$2}9r
zP295Nc1~xBE(|wg+G>EFZ#7k$CuCdc5YMj%F+ZB2$l7I9=j=%G*U=_q7f-4tZ{emz
v??V8(F<s5H?m82>yrZSe?ojp(LOl9j48odc5Nx?&U;?8R-Sy5~Bg+2(kGsTq

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_find.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_find.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c2aa5823ff7d6575f217e0e3ce0c183dc63256ba
GIT binary patch
literal 944
zcmaJ=O-LJ25T3V&CVB{w;!i!;iv>-gQ0T>zx>`gf6|pLMku^Te)7`A>u89W4kk*3+
zLE=FKX=!hTfat-q+Ji(2{lR07J@hCDIkug73vJe@1K+;gnYZ8jcD~um&qp5=@WKD^
z0mFyZx!#ckXRw9$1Vzo)f`9aF>i6zm0A2#D1;2Je=Yvmc`Pwj}TCq-S6fP1at$p)L
zx{(cK_5m0R)IeX(g1+(a0J790C@%f(>TuiXQJ>M$ZR$FYI>L;*CA>aDC{!EZ%Rp}=
zG<}gjcg4-mFxbW%!IkAol;Se%gv1?ZNf-$f8^t;jR=7xZr5oWo^S)eM&U%F`D+m%u
zpC3S!2j#*D|D>3PkzR4QvvBa_Y2xwEJN2bdpNek~Dw_8q_)Rvi;B8*AOKZ<Ir9;@f
zA+J8N<9e3C4zdv{7}tZ}C1dhdMzZ6hmk|$u1_Z?oJ6fW~w9Nm(Xu~@u?1*MN+>%*<
zs}43}TEj7}>;E!xV)|nYeAp{Og()R=Dov^Pnv!ioQ*va=n}=SBXGp$^AencW@(ybO
zVH>VI7BaLY)i&dUQ*$^>!y?784l*6#wyn)_%BjmZRRDTXq5Wf)aJZ^D(U{!-s|ui6
zH=~;VS{NMm^QGnpo-TI^i;r^4rXf|3H)M$TSXoY<WzN%ran&Jv!b|rK!VhWN`3>80
QI0!`?go(02SfM}ZFQ3iqeE<Le

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_insert_duplicate_key.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_insert_duplicate_key.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..949d07251200f0e43c5554cc2007a3a6e5664b65
GIT binary patch
literal 1767
zcmdT_Pe>GD6o2DR>Mo)dA>JCoLxe56k{MnyY>7Q2{;dw>Htl@6gF7?ZH?yVmZzGU2
zJ9v{2!fv(%;-M~4K}10z2p%o6KPM?R@L(6W_rBf9RaZN8=)v20-@o^L@ArQ1?ZT_s
zsS=REm24K^5)KwuW_s?Q0(g%$DS$_YQeogvIfMY7r5jtIrF2}r2_TV9x9X!~XR4~Z
zL!T>BwKA;D;G|UUgW9kcYAYY!!IOvbE*8pihQn;fUl%nrG0dV|M5{zMZN?p_K%3(Z
zHOW=eu|d|XXwqP025`v}fCKm`i|88k%&aUvX}#P#+y4BgL|!9ND~^jKnPd25i))NC
z4I~lUy*7XbDW_XwllIqtrPwMnZfwh8ePpSz<J0iqi)$2Hwq|2&Kkyn)lei6v$A*`|
zThxCVo5x^|s;Q0&=jbXsrgE)KH5mACC`JJkkcD}gaa*@c*oSMo3D2CA1zjum-D5Lb
z>|38EcGR>3crhr_tq8)ej{}6@`EeIPePlUI=q)vN&IxvWFGMixeT`m*N^&TY%W`sC
zAT&3HT5Szr4)JS>MfnQX9Twu;;x?pk3P~|Y%etvCGSG}#8iUn?2ngfcu=}ACXG6gt
zLZN8ML|l)m4pRo$kb>(LSH#g~MR2o#e*QX_SCJr{qZ7@_Ri#-8`UA>!x{82#gut9Y
zo3scphwHx)FjXI1U~<&zoEsi|c|28(WrLhvFPpHJeBSEV8SF_;J|B#_KK0S*Rw_d*
z$BFI0mXWShjs)gr`ES5}jKJ&!cKQebGk(_vCf}nb5S;n#z+UYIm_$TKizIL?-6VWA
z6!l4cFZCyZqW7IeFMe``;`RnrGjwxf<D;^ZI7`I4m~)ajU5@G`ZE=V?nAB(St{96K
z^fV&IjSB#8a1&{fw?3V;1u@>aZ_N{99*L0=#7J*=tM4{?*@eWQ_ijgw2(Dol>$8BG
zxM7+7mJJe?r7LckQAC>qQgmA}El07FiG;-+rYTO0Tgm>Il6NF(h_C%6tw%))M%=LS
SY0Y$pzI1O&>t6i(@%;u%ABh|Q

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_inserts.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_inserts.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5212ff70ae8a677805469de595e7b8e45232b9ae
GIT binary patch
literal 2376
zcmcIlTSyd97(TNu&DO)Vmey9J(go5$O?udUsclnCLL$69=CpfSr)GC!W_DAbwyjO~
zA$;&5A_xqW0;%kwdr+E|BA8?s!a}Gd=)s`NWA*=M)ZN+35QztVX6BqT-+t%&zi(%1
z=vI%3m`P%o2?q}YVs*ppFi#?Ik7aWA=Muj0Z2RvE7cHcU5ZU_JMO-VcUFy#*;c#s_
zUyP5Asapi+Ie)~??TB^}!f}>Wq^6*k)bKrf0L2Q0V~W?Vg4ZtwO1F9ZUiSP4#(KEp
zM5R_xR4Qw`$hW<WPt6EV%s>uHW1_KQe136vk<aZy<bs^U_;fyU0Zz>kJNbBKZ8D#N
z-a!CYp^y`v*aDS2aPBgcMO6G68P4VxTHQ)8aOmi9>QU>&c8V{s=~}8Nf{)^yyG^AE
zA=0!7_czI+O5K9$X<_@n<Pfq_3VH;oUi4E!-~TA6g<oPjMVU5ISrLN)Vgg(nXw#H5
z$9^k#0xvM;HK_+p-0+B%)}!6lC#*+rQ+m`aI6KNBHm*E+Sg#3oJ?{liCIJmA4ROdi
z$Pf=?M6?6qj2;n8KvqNHSm-*)qgJ~0ZTG>tNen1dR@r{svp*<Fpfl=W_69v6KMkk~
zseqk1<)j2I{1MSh8mh&C?vppR?+h1yGU00nX&XU*g#{@@cfpM%D0`_)z0hVn;JZnl
zw8J!3nvEpx9<$L^y^T7`z(#Xmqp#7p{(ufZ2|?i@v)L#Q)@;x@T(<?-g)#Z?nkU^b
zhm|IE%sRxRj-^OF2hH<Az{;an7Mb*6$e@?R28F{&>S9<=PZ)PBDA%=6Nn-CW`m5rN
zVdm~Lu{NiO<r^IfxlpX6%pt|TK>!a!A<b-JEqms~rDpDYz+#lSr>t$S^lb~d1ZQV4
zWX_S4xtplTI9T$|IxTNmGB?Z+t1=?m0dZ!*2#y#cV&-z8a2Oe3Ntqj;&)nzq%wa;4
zGRF=Gf9nRBd%$eer?*jOG1zDVZ1g>mIXs{vhM7ABg@?>$qfD7YCd0tQ;16?zN&PZK
z>IrC`pl_bW1Q8!?&=Q;_#m^Yx>5Pcjyu}o2h?wFvP&ka5_s=OtibWf>uV$7n=R+p{
zrWE;w(Xnt5%AZKFMiEoo3WYSY$-nF=o~``(|6fkjr1ZL>5uUTQP3qegE)tyatzd+G
Li4;4!(2{=vbZ}WI

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_more_rows.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_more_rows.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f47a5eee1b795aba7578babe390d9fa2b1090f16
GIT binary patch
literal 46491
zcmd5_33yc1*&czi2q-8bDC($Kkaf095`~%#2umQ4u!_J<<|Z>_G81PB2}Bl+3rm4k
zt!Nc&MHYpMib|<gP;6bWQiX!JfI=-TP*G8-qW<4^&*bEubI*5^*#Cc?pXW&n<IS0S
z&wJkYThF<BUw-O0tsHF}4S#<4!QnUu{;|H}vWfZQIye&Wcl<H`Y3~^3aFpeb&2nV5
zJ)OM(egS_D#Y2l%oT#64)r?1?3wt;n-%o=N&uM?|Im=JBJ7@Wxt{xZyzvl<|v$q`^
zFQLa1gJSSMS~8|Z5^?@5Kf%A@Jp>CoIC2&`j354A;V*a(3w_sIfcJ3U6AkweT6`#u
z-w*e3*TODc9P_U=-^0mvH*R$}^5D1eKJY2q!_W3RI`^;ty4x)Ht3!vM58*$wn;8l?
zCN4d`b!NLs`rE&|qfcus5P<uPJ3??ptCD0W90*0q9eA5=mn+@TrZgIj1ss>czt3?w
zKB*r3^=s7=cAVpO?0a(5KkpCcWjR{K6ER&+IJ&?k1<_b66n7SCu?lB)weDy&H&j&`
z4d{-x#&|wI%vGzBXe^p64;r84#G;WJN2}6gC?1OF4xGIltwN90I@*-Sw16IW9EXou
zyBz)D|2hP;1UyL9(A)FiQCb-nI9kDf$aZvzmqugoeee%QYq$C8yz%E|6IbI+Ia+(n
zS3h_#G=#YNT;po5`Rd)<-t-bzcQCH@nXm5F<)K01)j19KeI8!zXcf^abw_vjn|U5_
zKAc6tXqBT?<AOpM@hiN5QJT+}=5TC)p=EUYa&&_@JVzH-iO-)YfxGF_PnR#d#Q=B7
zFIVQjS1f@$Jgg;3lJOuS8%fIGx;-Aa3l1*c9Dp0G2-ij$@$Cqo=4+KD$ym7_i*t-$
zfR9Ct&)l+VlsH!$V_e!2#w#;E9WGwYXZB*_Y60V3L#O;qyqb^Q$+%j;c+VfNO}D!`
zg&N+~WIYn7?Ng-2$?f)deJ+RNc^FK_=~|AH$U?-)o932q`bm3Nb*BXePTRi-ZO<(+
z;ndZ*jd;T8bf%>{ix@K{7P{P-CZKRx7if{7mPlwOq>vjUfy+S~kk;np=Mz(-AmXV_
zt+R-$aal-2bWA*$L0qi>>G{j<^x0jV0_h6)n!MT033_cL8V-O?B}<&ykpO(qAk+kQ
zneGgq+u?W;zC*^YAIEMsjNZsGR8UWPhD!qP#2>CYb7;N+UccywjDe#h@QM<laCnX$
z4wEeNnZQ%C3?a>~)MKGiE#kDnug!(GNwncaz`K`7*6FuhZy@H_FnXep?)_ndpSW6q
z-`2`6J$6^8@Iw<bAyggGW12G;Y(Y$qsQ~l2ylH-yJHz4lodU4_9Iz4?t`RU?@tNrZ
zJst_MZBMOncACQw>v7$s_uXVd3|a5@IwwT6fMo03-gGliI78!;x*mx)iXn>rD18oa
zZ1Cu4JP6OyVDqec*uLkXk>UhRYp@;NU>FIi9)B4|S+UN>)q);w`^`~`YV2x354X0t
zL82Ph+MYOe3aSg?Z^hASCwnsI=uo0GsDr*(O&CMV4`^*upf!M_Re@u36NU>kBLhs1
z=%74v+3#FaY7DTR{HoV?do>eS7r?J%#}m<5NOR^ylVQDD1J6bjN4FQuVxtvP!PZ=M
z?S63!1=&yGP9(@2*KZ#t0?fIHUnr^LF}?3l;%df40W#N$KpJti0dNYk9`H3ev1B9~
zcaDoVi-Wp(mI&P3V4WPlSKv0#1~-q#<(F_P9<+Mtp1Ta()(r3RQ1Ms^w@IN=0It@2
zN1|)#b(`si)GA7VLPVS+<6$iVFgLiEEn!`F=f{+RL*<nqtU1}8l2aym0_%27ew%_&
zA&}i#ccvgT?j!{vK3s}%4bM#g=ktLp-Vw~SY|jR9;6!;u!lk=mmPNw-b5hU!9p)Oq
zo%-AA@28A20f%?Sd`0I(nP=b(nRuqQW4Ji;^e~t)2&dwp9u4}~6BeB4FK!(^jGB8!
zA0Z}iby}WF5JEw=tlDhKabdowK(^wN`zSSKV+%1s*3Q!uu1tH=%n?L*`wx_vG_L~G
z-pQeGg&yfs<Qxuhm2-GB3KXE0LWbAjIH2J0V7?SeVMI}T{XUl*KfJSO)A~sZjivBP
z;>t-23QbD^AKmSyd>X+aRj&mc!0OW+hfl?YuxZ!u5d^f1R>DHqb7%kst%9<<-`zu*
zRp!A83t`9h0hz>|Fz;Ac2={c@=O(T;#x{FEdU+_q9UyQh2weR>FlBEmaCLE9Ll#`!
z8D1IJeSx~MTj~s4zq@(Tnzj>6xS~fkHVPR4&{zsxkH1N#J7JiSrMfdWrfZc0oFjAy
zHKPNZQ={d{SYm(^{*zs>IHbR)1(-j4_!Y{JWpox~de6i-MQ7$C3z)yZXgx(|W9$@)
zz2I?+wRl1|tZZ>CS`{jd<5RK;AQ4UXg0-zvAnN9bhGA%tsUFA?NTNOU-6Q?3XI|3h
z6NlXJH**>X#iJ;iOn^Tcq0Oz&51}j%_S?emNSPcpUsu3|B44LCvnb(aoD%rj?GIBa
z>@ZfAyri0{lT_&58m~^Ffwu~B3F|i=(x|yl_qfy50icJ^y;UXC)7`R%dfgLGj^4|n
z_j@DHy;flMbPScupm-#BI4x00YdDd$ublEW6_MX6myb%AFeMWh^Xj7?QIVg5F<tuS
zN#O+ddyTPE7-1SG*ZEUtE{pphMd>WkW7VNjNJFXRFWu(_zz!<N;^lyq;~Ee`3b)6S
z78|g7?%JI!{+s*K1?TsjWRgF_&rBvD5~V<ML0rRmq6Q6>AvXwSI<9jM$7<Myyfjbp
zMS0wH5ey*tqC+xXq6`}g5Cq6Nb$nIwMROaXOSpX)TM)UxJ$)p@#_t5v#E#a2Ve9t5
zBxyN_SDOr5fmZ9ppC*FE44(%K+ja%AJ_1=>Npco#zLvYFJxjzapQe2?L(ZZN1AT@p
zn&0mvvS@yDx)YhJ$fBuL(8|Z%-@HTd(NHQerR~~MPVrHpf~S@`C>2EAmcVWE*E))i
zcyWVfBG7K9F-LxXaWFMUO(B=*gM66dJq2=U9Jw<54$et@o^+S2p^q*Zdj4xHQ~js?
zxeu=?kSIAC^daud50wY!XtkEe!vpSa6O^QbL@O~Jj{BrIpDUQcf^FHjhAKxehhHG(
z^b4-N4rWVL>QKb_bx(#Vq)~Y!V)n>eCLzs<i9SFB(&z^l>B)d*1QC?C>36xX2=TcB
zTE7jn9+y{gO-}ye`D=g8X!*b|$DcdX>}(<`xxr+tlq^AD&aVk*oiGUZw3=`=tzaL$
zxMvG$Pg|Ftxt@Se0rr-cUz7mh3yFz<pu(Ms=1H}u!UoM|p^Koxhrb(1g%`%1q*S;o
z&af7%*27JDqkwoiIQI7|5KrfbSHO6UWX2`y@uv;6`b4*{^S7!rB8<!DZF+0z3=^L*
z!pMi5csvx)2_p+@&jdSui=1k8!e`9|-Rh$jcP^$F&UhvGsIT5Mh+;UJ1Ib4%{?B2_
zm~zm6EHG{_<ggtJ6~JV0U`pUd8i7H-%%5oq=m(UK8oqIn0n0zmblz4p-UJIixR=1g
z10yv>Lwq=8ZpS+PN8kUF3h$V?6Q;lKk`)v~8H)sgy=Ui@R7h`tmEr}aj>keBJXGpr
zH(eTnh*a%)`rY14uyP+L=0B6qe+UL_oPT_bG)v)O^Z4`sdW^;0W4@Vp?GVC4N%v76
ziU*=au7)l0P^`k|+vt_tPrgo>+z22X_-T77!NzS1@>$}*fao#GpJDtGgm3!Bn7yb9
z!dJE9M#=r;_ib3`6u@X&Mued>5KYGIvSogE8qVrg1-RF7a7EQaa6K7v-gL;&M>CHx
zJ9qIve*f0>=3+aV-@;flUZs~NSTDt7C{SAb7?9CMcyXev_4elapF^g;LMfavOQQdo
zcdRG}CP3wtDB{7j(}VVS3Fvm}F@^GB%y=Oou|iQ0t=3Aykl@t8T_*|YhkApuLE?Ij
znGORs5)y5Q+mksEqBk+!t!;Su+~<;pB%W73KdoKBB#AiL9v7jBP?0pDrLs|^B3i?R
z9+$mODWZamhr7N&#e$4pf+E@&B)n@WTxdV<DJmmv)=z}4NDD(c8s(G53H`T?3T_SI
zIB76aBThzmkR~TA5B;^vn%h~5<&*4vxhu>S+Z0c<fHg93xxgE3WE3HoEr4ljkEbLR
z<l3WvDg0h5$`mmU3NWo2x{KmTTPsW}zdA;_mgc-9K3h&Q9EK(qd!W)Wt?{e^sG%Gv
zYcdSlU*xji;*pWo1DT1-EvxzNZgaU7=ilv8+cviw8O?3me@Q3TBm3=L2En$y-%*p2
zB@(IvPTS(+Df`2+&4T)czr1QNp{xe^Qq~Hi@1lfW4f*0=GKCc+$411WrPw-0`6Zc|
zfLdpeXu0P1GmcsaMi%Ln=8_vCPK=$ix`vsq?(3&@eA=vm7(irKLS{P_&??nZ=yG|?
z?m9uUR8p)IidZ};))S^i%pM>9bv5Oc81f_9t=*+dD4cQSOJ2#s3qPfD&FpFcxr|@;
zvS+X0mF!q{KeZ~@eG6s36SuFGLOs6X%&P)zV!j3qn0f-%gnbgt4?a39hNl%2zJV`>
zAPgujhIFr7O6dC7;B}{2DyF_TYh_F~8ANpTa--oS^!vrhwP1E)h_!$pTWfz-v$(r&
zxwIO%*LevH(fkyt!YmFruv%h0AG@0|wy+u=?psUMfehtO@z`+mfVfO;o8qs>;|JoX
znq;y#WEF5PjgVo$1142;VK!{|=H9<B>v-)A8^8MJbQ5CuDClcC^T7{JL?deTb-COS
zU~={SFHyVa<K9&6li?t!uXFx>2?x#v77PmNyYlBAif0NA7iZr?sjpGFNTGHSOj35F
z92}VnNQ#BRmCjr}0*XiJuE&F|V2>-Pmd$Z16L2%)L8$eKz%6L|_djoBR6Ce_{rkOB
zOu%9MQcxR9fGbRN=Ry*-5wesQ^kcho_tw2l2`Mvb0%RNBm`g#%t`;DxKQp2QDbM=I
za?1ZSLXi|?2=?S)2nw#b5GRDGqLClEQUIzFg^A4JP$?n>mv^8gNB!lIzpoj`%0@T8
zcJungEE8JD7;id(lowm!IJs1=4bGZeFiKi%W2bu;QM|(Mm(+0CuSZfbow4@C?#?aq
zI#ITfdA5QY_DDZVLCWq#u#JZ=FOaV0iA}t1M{B`0uIyb$`N53gescqj>&zvTAI$DM
z-F$WZ{yZvaD#xPvQD=c3YNC-CIvxEUpBJ?AF@+f9@)ah!&M4wgZ5Oqmp!<Y(m$F`)
z9>2*u6_{pPUHBxEHRvEF3Ri*>5aNwXtT-8~ux|k0oBf1jaJd*Oq}wJj%AgW-V9OPs
zP>E4Cwy?wo{CyC$49rlWdx~j;+-NeAfOf)Mt&G+JtlcZijCmZX5RBJoZc(<~nR2me
z<>whs4wz@849?zN^sBle6I6IVsX}8KQD}5yjigZz)XI%0Lf$@9Qldi>e?yy`)k8Xc
z_;X4VSms6$?z7QFR9?>TJ4H?CH2gRP7>i#8z_#8{;sO$=a!6(m3H`RBpa$L1l{)mX
zjf^DvjNvRJ4Q>WD@wQi}_%M!K84N5TXW8vk;NSb<uNcXm`L2Kef*Vc9nQBoK&7l2&
z%Q!(Z{MhQ*TH~CSb+xU%rGhfgj5-3*>W@EXpB@r$tLuC>73VMo6|~$Y@4zT8X!-j^
z-KaRnOk$k+yy%=r0)A}M6kZqRYE?DK;d~v43`SE2+ur0fg=hQ4UyNnj-hMvv;IXf7
zHZ24UatsQ4yk0_aeSUMYqAmP_)GXzMkD6PaIu6&0L9ny^FDO#u`jQNNuZrUo-0W&$
zact`J4Fxw_O2Xneb=4@US&m77usHJPcc;v&+1*Bs1Z`_pP15Vi1hHJNu&yIG;sF@1
zk@;v{AvG&nSHodrA<~xkJ7o`=J#AdKU_N3AHP|56u;w`L)pCvMnHP;DVP7b%)h*is
zx6E@lm1|UR{{6(o6s!uZ&d>dV@|uh#lX9}p$EQk0DngMy&eYQpnJ9n>eB37#Fy(WY
zN?^1`m~cU)L-9odYRam_sA^WB{5bQ*tf0B&7#};0@Ufdyp;T+L)uukY>H=!3qJn<g
zUit@B9cD8x&~JCuC6onbUb#TO)4LbgM!PATy2Hd2=(BNK1oW-_)LD=Wmurzol-ix+
z_qwt7@vjQFMsm0m_S7Rgt#41=`TAK#tF|u&|Fy@Qc|cJwjD;f5154P`=HwiZSWWI9
zo>hKn3yNJW^IC28mNJ(~0BlO9Hz~l_)q-C3UR^}d5LFE5V(cGA*L_?#RIRIbqGAx@
zHMZ@{Qvf=O13DWA<b7C%Vf1)qp`5+@;Pm6Hk@(9G{y62@pvf?zZhO2L&Z4SlSsB#M
zk&03c)8!L3$tf(OD%7=h2<+aSMTs8{AXz{g@neJ)C>Z$e11YlLi9Zy)hFM3mkgru$
z)jCJOt}=3`o8RlnAiDBL^QqTxR6g|>RroC%-R{fyJS)Js^hCS6KR#kkFQD=fUBr;O
zGiMj@d7Is~X!SfcoVbN*-e%6A5Kiof)lw)aOq5NTA7{iN_N1PD&PQ>BjV&<gz`W5^
z*2r*6Q%piZ#t0EY`$Q~CMH^lZ8Z%Y2F@_@=gpnE%HOS<$G#Zyb+yC^=S|d;#`#{@a
zUzoiPTxyeRODlj%gh}&em=k;`A952EKAN)S#u{(*z4BekrDRr00Jiv&qg3vQ(N7@M
z?skC|<c@06UYEKDIQ@FU^GH378FPEuMi64|=+vr}R19heL24P`QZ9~0nktHV;g7>{
zN+GHRd>w>fsK#}G>)2;W9PaH9yeiDfYY$yhIWEo2Y}C{-dJVL<Vsc)Y>2<jUO(htP
zJK>AK0hkklZMpHmP@C5R@xcY58a?35NtTttc^(a(sg?EzUKmfsmxdt{t8Ql>>PC4y
z>}p|kbh&djl|_JCmT8}V(JYF{ifFX1&(qDx@8fU6B!|H{vg=mx`fy{DsvI+x<6Qwm
zHR6rD_xLj9y#Cs$zB7{+8@&H=YjB;@ydwl_djETSUr7b9dbKORdxP?76&Ua7yn|8z
zg-Ny9#lx-^oFp4_ZD>)7rRYHBXi$}jJIBHj#*OyMjUj%(4ZPX&71^P29JfjfZt0m8
zqCPV7*)yNA4F6jf1lkmv(?eKDGpt5cG#rA1HPl>%Ljug5k}A>0^a6XV!G$qBF&CbX
zGt;WutBx(C60&S&1>HV2WtC)*xwc*mUn|waw_GsEK5-zRW=$OMu@##{@?7nt#DR3R
zkSAJozFVrU@~e?AKsmz^#?_G@O*q-~k;@?sH*%<!Lm{yo&`r%qA84`PxBRK!s6nhZ
zY*PJK!ycMya)z<eJ4OdxjV0pbt~$3*aL!cA0a0vD!Z3ew870vyvJe)6?~1t;v<Ah*
zL~p(Jy#yA|`m?cxg)qHf3>D+BB`J7jXAV_R1{|IomZY!{&OCX5GT?@fm|6&EHH#uz
zX@#>mRH;Lm9oot1<$%q*hZR<QJYNoFFrKLD26AE!>GN~fv>(c<wTnvoP5D`=X*Hk@
z7Y9QuCbAx-1RXNXaMICC<whe3*f<tRXko4j$Ki7^LD>87RLV_f&ato<woP?Qs=(n@
zcyrd`F6Scaxeyk^X&@U+tt#u!mX5F(>i&3Ef|rkN_<kvPk@I8V^smU=C}uOD45HbD
zzJ6$7fjh7^K~3QJTH`MtbY6(?w#vSy=rQJ{{pQ6zR}Y_Qf)^*1=#7W?%bW{F1}NgM
zw(xObXzpB%gKCxf-g6$IdO#Hhx_-+&lpZJ;p0|BR3taSFJMN;Ai7ZkRK+Wp+I2EY@
zC^ExOw|j(g@bKaWsW(!O(aKOH3Y|}E<|ym$#|r;G1;2|p{^dBX5P#!dQW5{XpT6|B
zl$SoTYtKoanZ0zpn*uEmijzLN3wLPnBr&lH)LL()_rkU_TR`t!|Gt#M7X4Gn=r3HH
zMrl2BumyVW_;MUYZ??*Wm9XcH-%Ir7LW2U?fGvtnjvlMf!(?Y8v`l~vU!(xFn1ebS
z2jrl#5ZuyYlb?Rs^o!VOCcCO195LIx`wXo}s#crnQ70+kh&MC4Q3smalfMG46;->(
zlpiP^hHK$!LA8Sq+(wa55oOu*LEx%un0oZ7i=q)D^v%~{M*?Xz(~(uH6#z`+0En@#
z0f5^r$3k@zYd-36yAcbmc4vILc8p0@(G||Gg|s#4K)Jj^Z-a6B>QjK6FjjLbZdPb)
zDsGGw0yH(dFQodP6pSmJem%t@Lmy2(O|z?F8F<)^ssU{hM@NSVX`~10b|!4^6E$z%
z)ZXdEtdpT`<MNI#nD?w8V<#jNSX59RhvpH|_iAP!)8)P<Yh=3Xqoq`C%8(6_7k7RC
z2sQb}N*7(*Ez>$s&MGryg52eA+DJL8W&uOt7y;)E!eLZ}S~d8dA)8W5CR9xvn-oNv
z%%KvAg!kq4$xWV1`aQMmW#*pT;SGGW((HZW{TNN2PG>qHWZ;3Cn@(`1n&qZg(dy#q
zL*)?^Xm$JDYZA8H<1->V5iOfuP&T%J*6vScQP|>gY|y+GxDuJT<@s3!R#R-S@>*QU
z6&t&U=d(zmIQ!cX_m-J7uMsQQ@}M?4fR#D(OJIc`TLVWcUMIdBDrFEj0+`c~td6zQ
zgkP=5AXs~-xxrUB6TQ<OqJ+?hLsCL`5!@7%n84M_fy09W(9#91xOjvy;Q;#Fm~&D2
z3R5|1B`{{A7#gO^2ZRvSuwDO+k;M$QZ`bS3oGaI!QzxH|l4@SyBLKs>@26Hmv|Q?=
zA+5%!&4HN|!<fPe#>gg9rw9Zbw^d5ncaE5uGsw-<v2#YU1=`2y9$OzA|L1V*P|#)?
z2OuH<fOb!=C5Ohge*FB-6Y(VK&41k9ukeSfvm6a4QTKrBM<k&P7t);Bp;%QEnl<o9
zYGYLh#|A<I&TRq%V^Fzj(p=)SFK*QWFMR9sOR2&>15HSZ7r#*;)gVO}#9CO^-I`>U
z_-QUqctChwBRzH*{H<7zLC~ayfi-3N;Hg@qLWkzaaHy(^ZfA$IHv})gSKxOe$FB^(
zg*)5mfTqjznfZ06`<C8mczTz=y6@`XNR#TJ29MR}Ko?1@%2^oJAP^Rh=>$j5>}cCK
zdT0ogMK7!L9ro;?`T`VQ-H!JLQz>tDwSeI1NtqPhikz9Rd?012439B|APTZEJE;^W
zWIyZ*7Cuh~Oxk-2;HGonMB<@u;YpW6-)-OS)URW8%3rQLdF34u6LQ_*H;f?3ID(}l
z77CQ>Dt{183o)m-+QP3%J#i{$&>H*NoCU8CzYQxVQ>7>c>)L$2z}|Hf+>7w$XeLap
zDz&AEeQl2WGrNxX_vUmJz==oz?MVf+H*si1P8!f!PG8wL?#-+ntQ1vw&0B@(BTUdD
z$wq{XR*txHj0UImTR3Tk^v7`0imx;99A(^?LoOJ%s#YbE^TL&{58S<!+gSG6`&3R$
z;f~n68Gt#PLT<zNeKn=n#!5>u7*nJ<n6w0onJQGkzna*`31EW<b5H^H3=Xy!&Y=Kj
z${Eb~^!>Fu>u#>T|8du!&07c%yy3~P%?>cH8EbqbMSPH=u&{^I3US?%=P8I4vb$=0
zx|H_h5QA4CL%er!2_?G>G=ajqe)%OuVZ-AT4>mjd_dio2ZAf|wV)WpP^%^Y>GMEU#
zF}AQjlk`o!c#_T23S?(;WJ_VZM$?MI2@T8eYoc@7>6<xM4ZPK`uAlFC)>mn+DWm7+
zBMOquX^h0V7zq`JknL6jn+lWy*3&0%rLvODJ_^?K#Q8HQx0LC)2<w{LC4Y!}PsW|3
zfWoq5VK4-Z5PCQm(pZ^DcMhwmf;uvp`SKYlr*{>Q&Ek-0FmfYgM!=pf2kdPMPJMnq
zizYfR9l!senT@F!L3L(<+XE@IrlJX4B(PmvtKj7XD+`Bwx7uC|1)-hwfz|>;YLkOu
zxk&-8=W91pEMyBu5Zd>jf1PR~HycunMhkU_44q?=@ahqWq+vROu*ubii(Uw;RlDUi
z4s5vqEQTp^K68fek|zeUJj}1=>}&mr`G5mdhEzh?PsjE@x=_#))})wGZj;?za&URH
zjv<p2+uNK-&rGjCN$U}koMZ~6-7&se+T+KsR$<)ZGf8Rred8QTMd8z{Pf&C>9I+JL
zF=iDyG;+hq5?Yvj&@-}M!SWKm7_2PMuvCp&*L3XNmo10R>vzAIZmt?3%ROpYhN>Za
zJ<k~s<`zG;rg*GW?=|B_$%OLh#5M(K8QA#D3@Tw6*yOs6$rmG4o1-Ze2G^zim8u1r
zb-W8aLZJq`vM1QS)dl;Yecm+S_*@07r5x5E4A&^$s8_J5NHn(h`_A69oS}N+-r#~s
zGRafP)-*ENDx81bB6O|kpu%=%q!g+|EkVc+oJmlf9}09=t(z+mQ5-u(EyT{_hCG5D
zp)iSnY9yaU65um0`mm@ueh3=HssGpJMVl{37=F%UXI{Lz-)vLBg1VC%)}S!}HWjFv
z&xI3Q(MU=msG3m7b5U2%Z2JS1`Z2<Fu_9q}qBwpbtTrP(gVT>bwGPJ%*iR&6>OWLW
zq|PT&k<P>p6LBU_Zu@A?JIn#u(;tpJHZNk7CbFSHm_=gos$52^Fj<c{=F5xO5Mk+_
zaA}msV$7phE3i2;mt8IRAg<zU$_HWYsNjR-wMtN#YMi+SMA62=TRC*+xH8DMRmIqL
zapV1fwB3QcnQ{+u8AsPDP*9c-v0bum%E7U0vp~^%_uUdSpRZ~1Lfo)fL;c1uVGA;W
zF@9_{Kh`u`@AFPdK{`j7At9h_b6&17w<5~cG#if&dm|8{`LQ{0)r=bk>Eqyd_+s2|
znxo;Cspgm#+~=X%;#SU)D}#X>O$!Q~$1mHKwZA+Se=7Czg^zM-=gNDg@?xQKIO|y1
z3J$O2GkcHtOxAV;T+fBjq-y)7xA5KLD1}3>S8^F_lH1JR7hHy|zrKrN4{EZ6ne`PY
z9AU_S!5^lcSQTPV<s7Repx_EQ?))gcU6HB^`7rYC4i6*SqaXnnJ_*<`k!Y(f7<t;m
zaw-FRcKuryGtn@qog36*VLeXKOgQ16pjkEyGX@?h;_RE7EYTtZAWIH8e0<m20C=Gt
zG?+%66WG6u*Eqmx#p7vWFaZthyw)ZTwDJ0x11GR^%#atU{0h5TK-%W44yLMt2A}Bl
zZ>mv@Spz|XYr6fJat;kuNv#WXaEo*-!b4iRY5&j%FGEqju`xuf3M4V)W29xV_T<=s
zUD>kOeC5q69yNE0W2(&nh~D@JCg8{U{#Nm|$(N&zmWbSC%m^w2uJ8_<e3y{`@55;w
zsLdE=Z~k(eo>(YVr84$i=Y#|0M!^aTz0?akpv}(*^L9Yt7|rI`iKdfzm~yq_o?9=h
z{)$yQratq`TM2Vw21AYES_s}l0mUk{1UJ1c3zz-~sKc4EX;#;0M~9awXGcNHg@3=1
z!i~wbK+E91byANXj|W++zJOc(PYy`oHNToA5d>N$9^ESS`0=Zac7hZwaUw@V6NxzN
zMuO~2KAc`dD>c5>=r0Of!yH!)h7%2|+j5d?&b<!|-NS;mou?c>dDCoI(Nd<$_c?Nv
z!zCPUO^7sp+@Q9NZ{W1TYJGDNpB|Rk5Y)Es7sIHIKm{H5?z-JR$0ER*Sk;><SSZxi
zYK6HEXC^N$?erY<nMgF#aLdC*3cFju(X6ndX?d;covru3@hC&{!x;nLzQTM~Hfnx@
z2{hhJZP-N%u0K8qw`SVz`Pt|e)HL3Id9##|;XX}YxOb^+mH2%hDr9Hm7I3X!@e3+d
z&V)mt>)Jv4Bq`u`g6b$`+NLCLqdYg`PEzE?n()|Kt<+hdf!C4;z6!j(XF@buNiGVX
zAJScyDi%d0u_(|{%=8b0_bZG3nE&S|pK-D+T8m$3>z!^s2^a~+nmx#V(*NouuGUr2
z{)KHV5b+-U!c>l35&3L-B$x8Um|+)IMURJ{lHyygI|>o6`gXppZzXQZS=DQ&^qO;}
zHlS(A(IW$M@VH5ATWDTbm4@&BIi*nl2wxiIFtVur9?QWYwF^I3vy<t?*ijEwoom($
zbkvQM-GBE6?dIBmnoA#};$f!hf(<Bsa-eDrt?#&O;+=&Z91lShgFog!?H$7$z7^MW
z%W`D3Ju+c|!*LG&gccu)Up4dU=!z5dcP;GE#o?)k56@|T?m5d(w!<ITP~%WomEg=-
zEl{8K-XEl{biU3E^DkCZZS=%g!zn$v8XnHrmY<z~WdrU)-)v~`DoP}w!xnbejnTF8
zq<$?aE@}7@y^j<tD9Tq*2);pFK^c~u%CfGDbKYS2vP%a%xb{Ehd>KkhQ`@v%&B>dg
zt~FJ;+xo<}suj_QpRj(O|Jf4CHDo#=xQ2oLH&Z?Y(;z`rY<vh7_Y1bBKI>a505CT>
zq4j{%grdPD9B2Y4L){J{dAq`0S~_Gs+9|9@l?}jf#*Jh<%1?~;U(S+dXJ6es@;Mpc
zhOEAujOIb9nu^=dLmG}5>L8EFt#-ruhAGY>)G8@xvpG+fd2#~6y-)sAD!g-x-`f~l
zKsf)+O%$IICx^)A2QT_L<xQ}$h0UBtANW-ACitD;EWunFd2xJ(Vt7BLbCTxF3DF0w
z_|ow8L{BMreluSNF&ve*DWZqtg%&x{g_v8gwQxVP6t9+QM<$w2<-p9~aClWIoNwLm
zN-F3VfVWP^jTV2g)wDSWgQ;zXB8<QPajBBaZLA_3JUwzFr4Yu<iaAu9SK=@h3oGKD
zyO&Fz1iuqAYN!^Yl95m}MsLl8mOxPEyA+7UIAWy&Vt7B68td-2Iv2dlUL|e_^RT=u
z-WiMr4T>rVkE$Z%#n&2e%Gz|Wsd2Iv<AQ&<gDS@15E668%$`7be7H8HIG}LJU#N)9
zY%Q_#VFYx>C*VYQc#D>Es#Y3I*q4<2ZfK>dSKtumI9M&D2i^oPGAHxaCvsOZ=6ula
z$aPnmx5%P}O!Yo^X#oWSb2M<ih#oV!8L34$FijL}r1g9Xu0&3_3kin<`){UjFvr3e
zg~HzC(qITW!J5uI`tcO#g9;219D~^~VxxMY&Gh&!FKc-E(J2cqVs6Tq^Zt3x(9tF~
zm_Tr+sjV37R)7jQ2LWkpEg`7cV9j>el%^G`)&BK-DxzV&hhWEwSN4<QTy7&3Nvuwb
z&XWq+{A!#O$&O9`>>8=Zh+mC$2ACgy-UQZ&@Q`u(SYe+ZRZf+cOmbucI3~ACi0mNu
zz-)<LoevLO`EX4>?ts|xpPO#^XqsyW*EyU{gI?+BfU70dfybh9ObKG)+HKzP0_}Sq
zqKuJ(Ts8$gg?kcozbUz^eCjWN8<dJeYhStC-dz<O(B8X0krn|rU1kBriD*vJ!Vd@g
zIQA+STg`Eu1w%FBiq^|=^ytw07o09&rGmQrGanu@SCDYoXR7ne&>_?eOq)y8HW%JT
zmHQa=1i3t*^_N^oK97a~ita_-p&ulNfg{RN4}yDPQ!-*>3y7|qxkk!O^E)voq|mTq
zK^F^xaR?{^WUOc$0sbcirgJ!^5dl;5dE9CKfv~MeG=`%m4cqn_I~>NRufJlidGD-|
zpoHDk@e+9XaZWTD)~jLjlEhj#Vg%xP&RYB;d8-mWmvQ*PVA&#CJ;*KIsT64yT6}mz
zTWYh5LW@`aF3o;H2oT%6A;}m!rLK5l8SV)(GPwAZSo~>T&dAuD{x=1RH5^6JuS9PP
z-ft>Fxaq5J*7mM4dW~+qVe+%H&3kHb&WwN%>hYFiF5PhAW)sjgmzjxwY^Q)wXzhu;
z*HJ(yw6>|ueq!@P&AX3K>S=II3<Y~luAxjQI;b!^h6%+wP+l}y9@dPv&)7CTW#A4X
zRf9z>M>T{4b32NtdMpQN4tRUl^*fk@lsMV(*zIzd|9{w_Yh~q_n_iMC0bIavg-G#2
z;K&P9T!*$r@>8E*pC!fa(%1qk2h`O_u{*!o%t|9h(jkEn2vvm=wN5W7r5VV9bqW&B
z<#3h2J&SPpEd4MY|J`ngi`mB?vU}$)H@{5*rwCrFqU>P;N4Du+7&Qy6Fx5Qu1tp%$
zDhc+nNzMw6tPKm<*aA#7k9VP(B#f(5yh64Y=;3If*4Vj4?`FuruBG=CD9z(2%@$C?
z45imK&@FH8oZjWVKEGfmsc0_+Cp~MX6|x)>d7%irgONbXEp(izj2(Wlct+B3_(W{X
z4DbAyO06@E5^%EdOxer}I4$eClJYefRRx@OTz$kgNEFr5=CujN*eO)eZ<qj<5Dz^X
z4#$AmpM2yqj+XdZfo&bfRuoJlq{JRF(UqC|%*j_Y_BMn|GRu4g=AK)GHXjeUz;i&9
z9T6@ccK&id24QSg+pQJd4Np#^imXQJNo>1a+wB=C6~q0`u5b^MSY~+2q_~62pMr%p
z?@TqsQbe~VXPT7g<adIIHrT=e@Hc!{4LUtV3FsTcvT1fA7}gW;8fr9+*hq?3q~<Ti
zvkEgq0SA7u(c_+pZ=OA*fc+K@dl`PIU?<a{0xP0kfB&-!QriVbow~!<&m5Sb706Ep
z@VqOf_(F7I_FZueD^fZ5adVm`^77_VMpD7*HqHyFf)!gO0;^A~TTdBDHnza(=|}IS
zSdHsiN+aBp9;CF|T=2j(z}{7sAC1LzXR%hT$H=q!eVOP6ZBf8GpTjG%8eIbmx?jDz
z^s_ta4d3>+bzk4|Z*!Um1MP9)+RCaBWZa49r1>W=VQAfScw%$HlETm3HTi9dtqe5*
zW1AC}3>-v1ch#t3$#dmOU<67g3!59Ojl;f3+unvW7nn+ANB07bR}iL1q$9pjUZkUc
zT4?jj46yol`ph`jyus5D;s2$Bvecxsx<od6AeaOSrgrU>!&(rSy!uW;N*Qnn@b;u6
z(6P<$N!<!uUX7Y_3b5|*i(|ABJ&_3EnSoL0Lb%!qjRKjJ2MaI41;h1@f@upmawP(C
zxc1~cz|nvAcsZLT#RGSry=$hKXlPl0U~o>U@q!sS0pJnNWWrhf@u}EX=esG}$rvNR
z6`ZigJ|86TYx;v9OJxk6KJNuLEx~0iNb{>NGp-ggJT+A(DaAFGLJC}*$)cbR@4&-@
z3P^W1&4oRpUEzu4uJ1)0Qjv@(o|a~kWp9uA(<D|Ye$8{<4I||)qf`j#Btnzsy>}c9
z%E*|xP2XB5KD8!J;bdeqMUN;jCPB3mGFl0!+9Y+@*n(xOdooPn#PnN0HQ42K$}%$X
z5DLZNtDlt=nG+n9ufc!n34bdnjYpy39*^$FgkLsvecSd9q`A_e-0^{e<G1n!q2o7j
zX9*VsymLwv=V9TpBVV%xvE<`#dhL??y>m1u65}T1m<|W+OUGy!27>#?h=jsd!YP-n
zsMSNZX+u<q@&Ml}RBlPJ9$d$lQ1Oq#L#}^)E43aBD=K=(yZmoa>%mw(DVC$04+ngq
zqp&$OwKU_cQ@>Dvdm9Hg1Vc80i|&9w-SXC(PqO#ru2^n3OOFp*^RMGsd0D*j(k$C+
zZVWLpDC$Ehan`L4v9-F{=CR$BL(K9(f|yVL$^DW;%;{r<A7Z+G*^#ppaE6PUf&x1s
z*mjemAaou%i{^wXp=TfZ^lkPoroqe7)G54r0uW5$c`c{5MxVay%utpS8h%H|!E?-^
z3C4D*P93L@WZaLAPOOeleWyRPAUEV(bC6PO=8Fm%ys++3sw9dtBUx6PccK~$O+kkX
zFgF^DfFR|B;x;e3Nps_S3{@v0+)luSkKpz}zrHAs8|JM4Y$w~(Hn_C7w8)&pL;j2f
zXDmi05MWmu+y)m&wI76`o%Du1tGV3ca7j>cCK!f9G?#lX?9~FOY)+nGVk($Rn*&Xl
zPz&bL3aoVBg1MaXVP<p1lux`dbxxpi73mEdC~Q@T=^cDAh~BWV82oVjxwsgP-LdY(
zX|@<1Xn*PI8Rn`AK0A3NLUYc@w>nK$!cKoZNoCO$uJGyl-I99pSVWOd*g8w6A{TbG
zunN{*uS<~&AKO?3DZ=8GC^#7p%3l%iYbL-Od-9D_cX|4U#tgT!)hRH$lVes6gEtyL
zoB-LmIr?7r9Z?p+^x8IK&`@(`7u7c9?b4?m2%Ay~{|0AA>Wj46z2{%el~Q_qz8J>@
zyLa|LI+Y|~922D0CP`p+K~Ox$;8{U>B$~ush4kFRxv!4jDCYhyKKE9>Kmt$R%l*cS
zpLMyC@#V-eZS0;3lk<Vk0WqQKpdgn^sDBXCj(ic5>Q=rSy|^dE7safvT=-imp~kKj
zX8maEb(B^a-iDZ(ag@xK_`*ZSA@Cruka=HDZnQFLpB_*1z@{Q)U(R9<kcMM&*B?!8
zhEL9p2j5=zuge)dUhaJ6tn2^D5igt>Y#s$>42T}1+zO_E0!B7TPemYT^STGdI>EAa
z`ECmp+8NCuDMV3bMng+uv%G#!1|&$2D2TU&;~KQ!>h{TY>halk?|p~Gbc>dpKGE8|
zUl6?oc#CR@9)owv|DQ*7E!(1PQ^{bFxB#xTJBKeE2A5#4&W@cgRWkV1iYVVoSAMlQ
zlZyQS*%5e=R}||TrfD5SYb(C>`7s5=OF6_LE5w%5FF)J1p?hkZwtjTLiIAMfDbPv-
z(3}7nUJ7G#Ws8tl<VXR$!VmWA^Ok?B$hxk(l5#c`B5PB*WT*)k&+2hIWe6E+0>+(s
fOpyXW?rfUVsfb{q2KyL72`ERBNO|F;ddL3&`61Yy

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_reply_request_reply.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_reply_request_reply.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9f5ffb5555fd6416bb606bff8c612b8a39e6c662
GIT binary patch
literal 1281
zcmZ`(&x;&I6n@jY#K}fvST-0>mZ*n-)pYkvdS+L|b;GU>COa{+?p}nUrn{!MlJ2Tb
zRnKHc5a;3{i1_0o0VA%5z@8Kd<PXq`9)dq|5+TP;0)qGttgmKfNg_!>RrPzX-uGVj
z_f_Bi@rPXpX5nxg8~~KiP}RTR{rdb2e1wLb^LvA@zWZtZ=Cgmke6<X#P`cdtbs3hA
zH2;_bb$kw<{#jhPcI?iLyB~jfSARM>0l$C#CL)!}bNjpPeRyx-lhcT@zp%HqJDOA|
zAC{c%w(9e^IEEMNEaUJDI{K`j+~hP<GEq<#CS#`H8cJouBPC;|hXAwN$`l6Lc;4~g
zIBp`RzDGUk`#uf)rJ(Nlb#Q!`$C&TAp6mNn_dy_dI1oGtfRk&H*&0s<#YUePtYmCw
z#VFb8Uf@yD7VmSc4<+k9%Z*_Px4xBO!3{wAmvb~#5lc4&VqUuc+4UBFjgq=(b8!6g
z`k0haX%;>})6NMU6KX6epq5^-q~sr3LM$=Yj)^OlkUKZ--5Q;kdHW=pkb;C<wZy!N
zDBq57!EyVk$<E?TNcW{Ei^ui>js<+Gbo(NWh3u)ZK*r5n$7XIiFrNQch_l!E%{KGa
zH;*dh-YsnC7pssjkh`fu{<RJD5$QfE#5QEr@HmCMgJ+xp*G4D_NAOVK)?DN^5yj@z
zdlJ2#ANuubgLQje82Px=yQe}{3r}_HUdVfK*sFDW0b{7Pp=sK8x`bJ0gzWE-iFg7U
zEYg}s0yjiKxOE!1JPO=_?*?u!YV2@HUi3-(>^ZWg1zA@E5_rU~FVz}LL4&NeH_-ML
z$xb8egf+6#YPB~yXPPUW&DHbmW^4U5zf)TTCsi!wdM#y%f#<LT+B?@gO=w<hYtCXq
zbv%?T6A?I(%5sq&p8ejQ-I7YufzU;tr8F*-CUi^Tw;6-RhY>Qx>`6sUp+!_smI`Ks
zObAVqxcgAKEtaMTVniaTEyy%S6BGOLqEwe9%{5E#3ZhfU0m8&IkG9d`THEru$T7iI
zvSKNOq#4hmEGM*81qZ=V-`FP{#rBIR8#`cjO6MC|vmv~Ip^67cGgSQXkEs%XRc57%
r3l8T38!!`Tkr%5n5t73UdN&&=P=SAeWi-k$@AeZ+dHnr*<WBtuRo_&}

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mongodb_use_db.pcap b/packages/endace/_dev/deploy/docker/pcaps/mongodb_use_db.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ec141770edddf536f5601b421f239bf1991febfa
GIT binary patch
literal 545
zcmca|c+)~A1{MYcU}0bca>6p*Ls!+XGE4@tL72&DjUWSiSWDHv=`%SPTp1Wz`8GH(
zIIyjpu|`mf5hQm<G_&*MsUopN%cg}55)A*E7BMg|GIDS+cpP2G;IXJG5NHY;5QD%K
zb_iXPT3q7dq^FXcn*tX24+NS(7Gq|yZ(?ytY7s;k!v}lDwEUvrjMSVQxCq#ZLba?6
zEI{{yFvM{Xhk~8>jd2~wiQ6<m&I36!v-6H9$az3#rURY$xLFw4iANV60vZmo0OU+i
zAaDRNG60Fq17eQM;#`RH7zJ_@E1Zh+^Zb*tQj<%9GpkZT8o<K7sl~;K>8T(wr%Iqt
zfo9)f0;vx#$}CBBN-Rmv0IPq&%)r2zlb@WJ6Ox&m$`D@pS<V+|6If+tQEFIfQE_H|
z9s?85T!Gxoyl^BjuwD7tAPNXR*n`7F78oW@KrRSlM4JiUMsT#fK#R8YM9b#n1_4I4
MCSW`vqV4EH03fQ26#xJL

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_affected_rows.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_affected_rows.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f4a3da9fcb6822aa479c34108ebc3fb85dff66c5
GIT binary patch
literal 359
zcmca|c+)~A1{MYw`2U}Qp%BRF5U~vvKgYum3uJ>Z0|PS)0~?qDBsdscIT(D?;v5(p
z*seL%GcYiM@TK=Wucj9N^1R3OT(LnyfZ?AbP>_*>i-E&Hk%2=rT@++WX+cV2Nvc9g
zYH^7|acYS|vaOO5$g;1ZybN_f1t5&Yvb>s=Aj|e&gIUJ&>e73VML-Laz?LP!EmH$o
zXa?jm{IOwVPy!mK6O><GtdN^nlAMv6Vx?egXr`dxoROH94(Ej@7UgB;r59T%7=T=(
mCdSL)0@Mh?SX^V077zA%6wEbHuO|Ur6x|>I^tuL$Yt#Tp;Z9uu

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_connection.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_connection.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ee83703282861c1043cbbbaa404dc3fd78daac7c
GIT binary patch
literal 2021
zcmZvdPfQeN7{<TZVV8w$rf6H^rFDrWV&al66beZxyTUeTQ5JWN)P_u!Wt2&Gc6N8B
zD5;6WlBTyN)x<-+RE&v<Cof)1B*C-?75_kjUO?M}i6>8*LKynI-+T*x*dZ^>zwdc}
z&-=^_3$r)>2(TKqx%vCv*<Zf<E2OcXae*p;N(I>Yns|aGLX4ebOreUrdV66y{qO41
z^76{$&iJA?j+08b{_8)}pHdydy84dh&zj>c>|^X(?uqh=p<;@yuQvwR`YfFjTlu50
z?}uYUdw=Y%m@J>mkD0|&x-*t*(MvhUIc--)8BuAq8v7eds5lj4OX;vo_4Y#K6%kFR
zR}O+|!FwW8UBhAU${hs~N~37M^-smNUGPpg<$_+!x#qaB$ziIx?SyUTOq`5G^nAfI
ziY{)mjBvpm;freYk~tdeY-?}p{GfWnxKVLTyBKO~{-U|1wN5V;a_&jHVuj9hwCnAk
zM@kj@R3&F|p&(Zw$E|QY20SW}!|2mC*|DF)%E6`O=U3tQi8mxW-jAi;{|~hqi8O!e
zn?>I)^rRA#?!57X+}EG<^Q)Nj1p3Z<F}W{Btn%0{L97QtRKi4e)RV=8i3ymv4zb5x
zt1MQ__>)S@iEkc~!`P=1eBaI#WJ$qy9eh)q@31UM>8p-WF!F9Rkr4UldE2rOXtZEj
zrW=h@Gb60AN!&~&_|LxnU2Z1$r@%jlW{<p*+zi7|l)YH5jv6PSv+cc(EYiq!;>sFh
zyBMnjTe#1*jFF0Qn#_BCZ{i8pX>1U8QVH{iZyu3(g!ws`zt4G+G7r6cYR}PBGMkF_
zCbP){$xJHh8jed1W*)vD*p+8;17Y|+48KH!hwlV7NN+!w75r2K`{a?vj-V%%U_O*+
zlqCi8OE52T=C3xGNpf&IF=tZ!sh;cxbJIQoz6kX)u2PAFtXpMST>vivc#Q++WObfU
z6zfGo_0_R7?W1TYG(Q^LsIG2_WCj43FfU=RYq~=Q5cbxl)2j^tnDgQ?K#<_85&ZU8
zWBoWmB^>pw?Un_7N2?7>%P&IQ(U-Dd0}g3<0>5gNU`<u~4Yd1kj!MAx4mZi#KJ1GS
zVE1s?4p}>bwQ8ns;CK|zPJb#xDa4*>YzpV81oPzaaamU|?*a1;u8R+?_@|Mfi~+1D
z=;fyn^2M2!&5aZcM>mT)nb>lObY{>J>0m=J>O1esWiSokG?noBP3V%$B)sl`*AkfS
zdEF9I=0mJidyfvJH=eqUH)Y_TEu##u-rGOP^1^ZnmSd2A;BAib7%XQnN*+^^+9(SD
hzFmfH7mld}cIVw+WnF<C1NJ1x-u(WO?lBTo{sVo6CQbkV

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_err_database_not_selected.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_err_database_not_selected.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..524b8021916b250e4a6141bccb2e202482057245
GIT binary patch
literal 332
zcmca|c+)~A1{MYw`2U}Qp%BPX&-V_Ul)=jo4P=8b0|PS)0~?qDBsdscIT*b24mvP6
zu$_Ha&%nS4!t18;yvoWxQxxXE_;!PY0K-3fpdcd$7vq{oo{Vb_9~K6gQk<HTnp~ow
zrI1#XpQ})kT3iCM>PsdsLn=@jgt1r^%H{>K%FG{T70;`6Q$f}Mt?L9^<%w+7BTrc%
z_rDm6vaySSfq`GXLP}yuVp3vpsshCN)D)1VxmmmnE<o!*7>lJQd56IM`wp`d>c38)
O#eW(Efd11!wG;pnicsDF

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_long.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_long.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8bb52ff8e283a82a993e899c52f0c463dc94bc2e
GIT binary patch
literal 183149
zcmeI*d303O9S86?EW;Qh#IP7y<U+(KhA4{)E|nm0LvX>M0)j6yFY)S|_a<+Naf7&`
zq6lblOKDwLtcp}i)fNkgV%54)YHTUgR%|6&ic19*q4!P<J;NMR<2i8n>X&owVTO70
zz4yJ(y~986_wJgNPu$<eXlFG4*|EbgBI?aYQLnu5=BP1Az1A&e6xB48<`_lk*JUx|
ztSuG8jp5O$>y|I<6H%>W<Hp>^EmybeI{vXQXVews8CxGxNs(BNA6+{yr~d7t0`<+d
zzGYkSK=c=to|_bb<p+~(*QwIIjhY@cUfyn`TXR3U&zMmb+rG5$M%`QaXx)?UF}JaC
zqwY!dIIu3SL;iD}ntIEr-;l3+ROb+hlo&>vwh61Uo$hF#oxT0<Rm6;#xqXbUcC<0J
z<*D%*?bR6782TE^B1XGyOCx8vo|P0b<%da;aBbHUz6^w!w1Q$0cO74yj1`2QFcUH*
z{kU|hgk?+hp>HMB7lb84Kj|janI==}%hHL<giM4^Ai_Y{W`&9uR?rk}iKJQOn8LJW
zb!e7|@<3RQOsZ^=l=?-DdTS<&MRh2B;kbU_g$ZHRT3%cRW*}Whgtl!a<8D*3K1ljf
z_mqy5DRr>0Of~SN8k5^}0;;Q^M2ystW*AsPdZ8Lq)457Vcvi}@F1DP6<*5@_|4`%F
zVM=vpso|(I6_)Q?A}(#a`3k8M3PojDCCxxMdO#v&dg@K+m58$1xRnYlb-{e8u7Mkm
zn^s&M7Y|c1VX9PhT8>D0u1r{tzKZ%vsZQgeoig=#3%9aT#-%9|mT!6b)1+(bVVL>?
zNp(5=udi#ERD|tGh)x(KAv$3P5~35vNQh3j4++r;b4Z9zxGxFO33Ew^PPiWl(Fr?}
z5S_3S3DF7jNQh3jKMBzZ^GS$K*qMargk4C8PS}-%=!D%!h)#F_3DF4)NQh2&APLb4
zyOR)|um=gz344+dov;@P(FqSCAv$4i5~33d5~36KAt5?pUlO7d7LpL1@L&?66ZRt^
zI^iKCL?<jFAv)oqBt$1XjD+Zf{Yi*UcsL2s35!XHPB?&s=!7LCL?=9ggy@7vk`SG6
zAPLb42ayn+a4-qc35Spno$x3Uq7xoXLUh7oNQh22l!WMn!$^oucq|Fg36CQoI^ppo
zL?=9fgy@7nA|X2Ai6lfP98N-X!cr2V6OJGuI^jtqL?;|cLUh715~35HOhR<RQ%HzT
zcq$3e2~Q&-I^pRgL?;|YLUh72NQh22nuO?tV@QZjcqR$a3C|)SI^o$QL?=9lgy@80
zNr+B(E(y^I%Snh%IF5wqgy)eEo$!1Tq7z;~LUh9MBt$2iKtgoFi6lfPypV+Ggp){!
zPB@u_=!6%M5S`E@Av$3N3DF7TBt$1nkPw~FA|X0qB?-|9t4N4Wcrgjl2_*^92`?cb
zI^m@xL?^UKh)$R!Av&Q$LUclxgy@7R5~34UlMtQIBOyAWPeOFUfQ0CTAqmk5Ye<Mr
zco_-N32RA+PIx&9(Fw00Av)oeBt$2?iiGHdSCbH(a0&_038#_}ov@CC=!Dmh5S{Q^
z5~34cM?!SM>q&@CcmoO132!7JI^i@Dq7&XkLUh8LNr+B(3klH)r;`w!@KzF{6W&Hb
zbix@VL?^tRgy@7bNr+B3i-hQevq^|fcn1m53Gdt+2|tQ@<uhkQjS+^CZZV^%rlB;)
zC{piZMp?`lGX47D#_;F|4a*nyiKy1Gabs@dmaE$h9KR^KzAmrRy#2=*MkEr;@uO?!
z<<xJ;|Nn^_hv~!_eX|quOH|^h==rTp{A8U@ylzT%Vy`K6c^x-@S<%|W(;IYR@eSFD
zhrXr~=WMoHoA~DOI&psQ?8K6qy1YDN<M`Glu6b4`J}@^sao8#?v)*cLVpysZ+w{mz
zv=`~Ke)QJXCKkM_6DM7sop{fty1f00>z3?Hod4}+&$C-};xmct#23}<$$e<-SFKH4
zbDU0mP-G{5>Zmck(Qj6E;sZ0I#_FL)x;3vBy>j%L8Tx$TlRB}-fhw`1PR(s>+&F&G
z7v1!_smtq-zpYzSqB`TwYTe8?lf|Msl)i9WKk&kYuxc$YE(0@=t|LO*Hj{Bz*k*<6
z>4T&%MHmRvmg-9>b+E8Z5qFbGH{q(k9p9=B&7ee#)RATwSVDTCXNiPsyPlBfKcqk2
z8-GYiSSjPu6bZ|>ywC|m(zR`=CaEKnLaG_<2Tc<=OfHKUb4ZB33hyEzI^o?UL?^t5
zgy@9#k`SHnJ`$o6){_vO@FyfhC!9+{bi$vK5S{R6Bt$2?pM>ay50DU@@Iexy6Fx*j
zbi#QgL?@h2LUh6fBt$1%NJ4bNhe?P|_;V7X6Fx#hbizkTh)(zz3DF4`kr18maT1~v
zE+!#5;V(#tPWS`~(Fva<Av)nNzYm1EhIibosL_A0k#4(II1cVvn65n)Pi0g%K0auE
zbA{t)PG*JU54&P<$@gJW{ICgsMMCtS=BG%APWUtl(Fva+Av)o&Nr+DP8xo=uE+rv4
z;j<(}C;Tl5(FvE45S?&23DF5xkPw~lITE51t|TEk;qxR!Cwzf~=!C0Ch)(z-3DF6E
zM?!SMmq>_C_%aF6311;0I^pk0h)(z_3DF5(BOyBB>m)=ce1nAOgm3PZgt~I3PF2o)
z^L~04_SbuZbsv<q+t}lM^d4&~w@lo*+t`BU9nsdeT#K_xCyGUxwK&#{Z>Ystz|F>5
zu~XIRy>gn7uoZ-VAR+pX{TdRY6aJBe=!9>P5S_4rgy@8ClMtQoPb5Sq{4)vB3D=Sk
zo$xOtL?>KFLUh9QBt$3tD+$pF-ytD7;onGzPWX2cq7%MLLUh6nBt$2CkA&!i{~#ec
z;Xg@;PWV0v(Fr$_5S_4*gy@7HkPw~lLlUAB{)>d@gq!vZp{~W5JiDb@oRj0aa^}d-
zvukn2Y^uxa)a#`c8MQc_b>by0CKhzkiIYcXCtg*e5=YgK%}#vvo)&l7c|Bd-GcU8c
z=kA(ss_qe1AQG<adX`9<RgNi4TULi=i6{?*<;bKk6Cx?~iyHOTWF<)}DoOsmXC^KQ
z0}&5XGGPX0ARN~bDbJM&%L$5wA3A}Mj{4kAnW8$B!mX@q1>t5AqW|~t5ed-=KPDkM
z;U^?SC;XIz=!E|vAv)n_Bt$3NLPB)Htt3Pz{G5d7gkO*lo$yN%q7!Z-Av)n#Bt$3N
zPC|6T9VA32G)Ra}7$G4#VH*;n6SgHGI$=8!q7$|!Av$4{gy@7FNQh1tBOyBBJ|sjZ
z%poB<;lAIIP}ky&yEkfFJHSY{9HYoEjF?eW(@+{S%3=e8!nbwh%poH)D`#Grl&+j9
z=#am8RZ}gF+GVG+A6>h^mb$*cN~rP~Vad=>x(N|j$&~A<f`hnB$b_yv2m@i86}r5J
zg*LmbN+b6>P6`r+qB5+Kx@;!2ZBwL7PrV7f5>Zwgw^D%>dcv1#8oTkhX~orXyQ|P<
zKN6z<G<PH+I$<Xgq7&wk5S?&;5~364lMtP-GYQcNyO0o_uqz4C3A>RHo$vq>q7xR7
z5S{Qq5~34!Cm}jv4-%pi_9P)XVJ{M*6COlDbi&>wL?;v^L?`S+LUh8uBt$1HBq2KC
z!6e*sg!+!`JJcQ7Bh-D^x;5R4-F#nmS<D!6Vn2OH_RwRpcSm^GQM)75I`8e=9buuq
zD_bWvsKnJnjdW|yYQD#N=<|i|=)~?HX5Qnyb#C+S2-~`4+~d7)_dHa-AE()#n`XO*
z@DLKB6BdyWo$yc+q7xoQLUh9ZBt$1XoP_9v#Uw;096&;J!V(gq6COcAbiyM^h)y_=
zgy@8WNQh22n1twrLr92DcoYfI36CZrI^i)SL?;|dLUh7mBt$1XmW1ep$B_`7@OToU
z6P`dqbiyBz5S{Qu5~33hCm}jvDGAXDN01Pm@FWtV6OJU|-b<(}9FM)PrJBj<#k#`r
z!y~e5Cf{15Y9{BE)@IjCj%+cp-*BCHPS5Pbt#fr1X7450iOcI-8e@-ooj756R^sA*
z>s8|FkGp3lK0QBb^dD@b+pcw;gL@V>>O^r%MqTIPfhEm#ou4^7>pHury?YiWEZ_3<
z_B=_~R-3>G(~(Ib6T<Sp-mWK1E{hmtTnc;dQuua+CzBAJ@DviF6P`*!bi&g}h)#Gq
z3DF5hkr18m3=*OfjwT^G;TRI46P`&zbi%Vph)#Gm3DF79At5^9SQ4TWo=ZY>!g3O#
z6OJPxI^lUFL?=9-gy@79kPw}4JPFYWCy)@Ga3TrO2`?leI^iS|q7zOgAv)njBt$1P
zNw^0Ib-j?kAZm0kH_~m_%9--q!cTPN%=Vd?l{1NM&6P6+lQS!4WWo&0Ksc@=Ql2Xl
zmJ<{UUzgHIN5n%rWs2%h3b(RS#-%B~U6n=!C&eC|6uX5mPC|6T1PRdzEfS&=R+12%
zu!@A}gcp+#oluexo$wM8q7z<9LUcl#gy@7x5~342Bt$24Nr+CEA|X0qH3`uPJrbf5
z`Xodr3`mGh7?Kd3u!e-_gqM*Jov@aK=!BP(5S{P}5~34cNkVkOt4N4Wcr^*p38#<{
zop34%(FyBFh)#G73DF6!B_TTDbtFV5yq<*Ugg1~7o$y8yq7zOdAv)nrBt$2?nS|(s
zw~!E>a5@Rm32!AKI^k_3L?@g<LUh90Nr+B3lZ5Dmvq%U?sGpSjh<Z}$+O|fz?fRtD
zwyz%CMn5U_%oUkWN_~1$`bnt;9r9o7o%y6xKM=NA;d)_mS;UylNdY)1G6?S=Av9ro
z!?<(1Ve~chQeUZ-`Ut~Fx0q2>(@@&H;LBphkgn_WQa7inr5@4Cy>Vl1qh99Y7mq!t
zF0bR}7oKTa>V9<XBRTaOI_tzK3tLKjzfmX7sLoETn^c$AY4u%mG7`J!#G6`7T(U+d
pu9%jc_}E-E#yOYH&Q6@(V&Y*-bmHg**@;W1sWHAgVPa<De*ukPPZIzD

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_long_result.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_long_result.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..949fba198a4009408d34afe8d91fab29e883b6c4
GIT binary patch
literal 3922
zcmeH~&uSA<6vofZWMWLln6wHmTpUGEq%BSVfE#HM1dF081)-bC%uO?7{)D+V)@-y-
z;KHqo*1mz!Z5LuUf}jQWx@{Nw0&U~DlN*htk8m%XVeZU#&Ug6jzVDy<Z*!1`(HRT?
z7+n@`)gHgNU52Ohu4?=g;cgM`ufAV~<-(8OFR4M*_Ox@bx&Q6g?#}D48<(nZyhI;a
zu>{tecVNBxJV_%g!9(szyot>;iBNJOmC@G2G9(qq>ZDP{z5G!b)xM03oP+IYWwN=y
zXDcJ;$zP+sGNbjGbqyeA`MjA|9{(Q9Wv;UXWwlG@L^|s<U4u1F>hh=QJmxu9;3x-h
zl+CjN>|=ndPy#5hI;-3Fco-&hJHzJK-0)UlP-OFL{%`;fl9Wfd(h=PV1A!ulI$;m}
zZWQ$h&vS`M6J?8ICk<j5#B1orKFVH)3of&J5c^#r)7}h@k7~IB8=S{k??`f;=1b~#
zQ-9onKjSGG#~#nr^~Kp)F@@_b>ULx7#_c#+kB1A8P$o$mU0id+koU6fXqjv);iYcW
z2)U1eBpF6-n|@@=qUdlhh-hMi+GlV@qS{b&iNsk$LX#*N5}HKWkkBL?Lqd}{XGmxg
z6+=RkIB!U35>-P&lc*UIn#6=5p-D^{5}L#XLqd_Dn07IXX)1o&kIHa|(wnOBljYon
e)ekCu{<KH&bC`4Y?A@KM!;LEC+#CPJ&;B0<vNQPr

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_windows_lineending.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_windows_lineending.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c6219bc12a4d8474ae536546b95d125aada4a10d
GIT binary patch
literal 757
zcmca|c+)~A1{MYcU}0bca_;r>MQ!tDWC#MXK{z67<Jq#lgdegiPpfe-xH2%fluJ1<
zIIyW7;bO4m=VI_WeyX46mF6bXb-R{mt29Um2zT9NU|?kA;NlC~q5Y-b?jH}(6y{)8
zA6MrPUM@~U>-#_(Cfai_Q~||77-BZW9-s{z3^}|<9T@D{CcXrj4zh*k)v11v=|Efd
zHApZNr5%RY@TK2117r)(-HeRl3=B-nDXD2d6B!K|c<jNx;b;VM8CZc1_y=MzF)*+&
z8UnejU@pidAAl}#0!o1}hF?vDB0zranTF=qeL&a5GzbU?t^n$S_;v3BkZV9D9&zJf
za0iNmFoubio|+&NLl0mzQ9?j)=_j~}3qdA=;)D@qEN+LgzXTaOofXa4!(fLB3J5O$
ziE8X4phFekvckQN5eX)|$3T%VNdYYqVt|owxIvJiXyYY_iC_A?_4tDJE(DpVjNioL
zU=!uhOpFDZc%(r9XyQq@iDobpYmrRE2uzcA*FnDCAcn=)u?;|9Pj7<x`a~eeodDq?
B+Hn8?

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/mysql_with_whitespaces.pcap b/packages/endace/_dev/deploy/docker/pcaps/mysql_with_whitespaces.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..f22a93b503a38e4cc90df05ada92de050aa6b637
GIT binary patch
literal 5398
zcmc(je@v8h9LJw~I3-VI8nd3F#seZhM9GpEHl2qEHA9VwKuXd5c(6;3)4K;1T&d|a
zb!*wyYIAGFN>+v$Yiz9AWG>y*GBCr^+-$Btu(Tg8F&FgyJon|f`+lE?r$4*x%kJRr
z^?iR{-}gPc<J;ri@5+)}8oP~-#_v71Aid_sYFS!}hqPp@3Q6+j4tpi<L`m8vNiJHa
zyi<lUGKc6X(ouPIbfg&1buYf)N=b3MTz7dg8eaW~{^kaNn5DH==Dm}7=9HmRUM)9p
z0^EwDciS_GJH}iBW-0cd#c~#>9_E=WX9c(?w@;h-(?~wTvwXy&Y|Cvp#rN|ZmhB{E
z8;^4VoZZMmi{*KFNXWx+6y({&=UIl=dLAt*DSCK;l!p5`Ie8^*GZ!wEMsH=w(zfk0
z@H=+P+FV!EUKU$2r*=g^3b(~JHaE8T^w1`)af2@w+Z>4o4fF0gtEGzv_~{asf-^AP
zk9L-_pO&Q;u{A9=UE8u}9XJX&VSc(YJe=AwnFjD?(NCLOG!oGzN!Mb!!%z(fBOd*V
zJA9b9>fj6<***+)*>0#laLN&a78`2uk!%N!0?vGMs4l8dYW$`2a%$5Zn`pDI@JQx+
zpOza`1>c11B96XBmezqui$x0rbO#RkuH&M072>rit14>L6=lmSR;hWddQ)khTE4QX
zs;s6W{;+YK)}lpy&5eOj9&Ou!ZAG(9L4I3iR)yJK#J`wi){H*{j%fD%w;VVMIK0^|
zn02w~DcZEP)@Z|nJd&C1h1o(xyJQzF1kPG;X)&{PzrEwYQNVeUH=8+T*6WRFu~;b5
zQsisZBY{Xb9MaWA>dMMWioD+@^34{0D`vA0HZLLa_jZv_gCp9^e9D2NfMahH!Hu3?
zvx)Y~MIOm)UV_b%@eaDWL6#PQNsHNBaOgn?4juGd-X@)L8u?lenApCdULMALmB81P
z@qFz8NA%TO@4)$QUk7cX6@SSinXfDGRW_cl`<{^{4fE1szI<QIa^R4!)x56)yf!5m
zjciaoDsH;Z->k*&(!)@bs%;6y^cenv%P4uBk4;6db=CZ)%xhUj=Cw40|IV(5ySG`r
z)^|B@6mSwf?4gSrdskxwqlcY9iqX2?<B@T%*V5p%3ekQ@iblvD8u5+o)*f!y>cCOJ
zN%YX*m_7UqFfr7L<2;P{s)Da{ggS2*Y7iW;hn2!boZ~3q@V<HkU)OD-O?rTj#(bs2
zR~@1yUs6n8ukDZ}eE2XH>tWRQrUQrGB28uw4bEfKL!*L$sOHnPcoXBDMDx^qpSsBx
z4Lt9Q=07s8V2<iHAI_gwP(Y`47%4>2JN$eKCa4agt1-=ho#>ultfDUqpIJGM0!~77
zKeb2@eHBPC+9yMNG$y(lqWywsLiW>$M}D;yQ_gYVkmy7)4USpN^MHw=N=kVco6`?p
zwFuRp<jV||e%<P8qsM`xfW!Oh7kn)QQjGTcSsuxJ)xuX8(Jt6U`xzYc%vh|L{_+D3
z90i<OvzW$+v#FS&mY5dRRZplzj~G`%w6D2Ui{)pBwd^@+wy!0qwnbXAjUuMqu%_>s
z%J0g=h9Pzr(tmB2Uj5xFHvLlvjsi|X>;SdK5bH8N`%r=EffU7_7cL@9>@JAif@p(D
z(Fi#}oJoIJi<sTbN8>mOIEf+}9J7dX0TV;L)Xu}0uPyMkSMX(qS_+PMg>3l7fn)VG
zz=}xOXwDaGqCKJTNH*tQ_}V$1uSI{#QZ<;gSP_@c9dY20uQIcU#)$NNEyWYlnzewg
z&h|7#BVnV89wR6=5FMUg&u_pS?u5e*1U+MSuo*XH=?FHW#e#l#v(JH}fb%vV6!Khh
z4ql%U)SBG%xgqhx<#YL_WJwEw{|5`-N->n(^ZYJ9p0~z)-UR#uU__F#Bz)zYAcwV7
z_Ljr%CmO#e3pGe@v2ch_&yK4D$8{SP&e~b%{L5PJ)W;n-3OI>+pQE>lS?@D|iJ?At
zh=;MGxs9Xg6pn^q=V-WLaKw85UGBi4qe)y2431E5<(4(ttUWxE`RdeiH8-LqU#ZM!
zyTK9bU31leL+`vqy$w!sy**;Rdu)Oh3I`H*sJY?r7=oToI#@HPGHk84tC$bUaTIV8
z^)@*FU%kCZFE%Ol9zH!gu46c^c33!RXQ4hd#lktf(Sb9a;|z{9a)%A);Kw|N*=)zD
y^a-azoIz^#ejAR<zCL|6bD5maZ8$xv9r8@)T4Hj(vf*_5cn<SSdA16k4bH!1@zfXq

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfs4_close.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfs4_close.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ffac7b3f0e5876cc3faabd43295149193b844a26
GIT binary patch
literal 584
zcmca|c+)~A1{MYcU|}c(aw6`9hrd71%pk$Y0LDNeMg}$pnPO&vY6b=l23H0~js+|Z
z40deiZZ@xEozuMXfHHG82jlw=hGt0~ySxSo{;IE5KuwGsTnuMti?ZtNY-wO%xNum&
z{vgmS5MW|pY+DSZL6!q;0b?Bo$Gta!Y~hsD;>zTl{L&NyV?7WXNC1Ty44@dK9>hil
zATf|xrs3hMF92y~s3ao;_o5ak8$^NBi2<=R<Ej7eKmr`6{(WcQ1^EgDc>Z=Vf{lg*
z3e&#}aPxp{paM=HW&&afkPATJG~o#|!w;YU2m@UJ45t(FY40x=K*EXPMNYB<g997G
zY)}}1!is~Dxf>Kl?>iX78zi_+pM3)fCtw&&1%*`u1H%SrIDy=X3xNF!l7zbtq7vD^
z{6HZP1_6+tK>+Np|3CoY!by<7KmhJHAX@`0!oa`^riEKU@x>5&+QE{^`Dz1*9r&pM
GEC&Eo1Y#)w

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfs_v3.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..fa489c8b5d3fcd78fc0a8d1a2667bf1cd4d6fe14
GIT binary patch
literal 426
zcmca|c+)~A1{MYcU}0bca#(EkAKWF*$gm5@24Q5t!Qjfkutu=Tfx&@I>q0#P10x7C
zyK^uyrq_rzIa@b3NErY8w*V-}$iXGj8Q=xN4Gat=3ul#HfSSa_z}U7J$YzFOkfkyV
zZl}dS{KULWAO!~?Ib<Nsc<TQ<kif>D$#D$43=AAlS!PB95R0=UwYVfcEi)$-$N~8z
zB#fOQ4af#zWB~R_M9_ASPhLKQ`Gf=L7mzQ2zUgg{V7B?^1NVtH)F%p1pP;)8WH=Lu
v&;i;ib)KEU3CIRvWB|6+M6eoUtF}ALR%rP30&QO2AOH+M4Y;kvKwG^5CSpd=

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfs_v4.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..5fabb74fd2255c5903537660cfa466d50335ed4f
GIT binary patch
literal 642
zcmaJ<Jxjw-6uq~fL6l}`kh-`Cg)D-)*FuGYa|b&W+M$ad(ZQf#CeclB(M6Ctxrn+6
zI`}bIIw*AZ4+w(TDMRZ$NgjDF9=N=FPhQT=Ii&w|bDp3S#Yhp$@OrlVcxb1nAOlK=
zK^5Y0zfz)7X7OT=h*2*CgKc+ZP<8L`yh%P7$t%ppSl+tL<*h5<BkBufL`n(b{f_il
z4SiIx=5M^qnQW}KK@Gyf9o6%X^q=xjA?vgn&1T!d42`7JLZp)bDFC05%3+9L$vMT{
z(U&54BK|n$S<nUbEIy~Dg&Zku>Pk{`$7%Wy5~Tx4(VMl4q-HKvQif!Olx(-&lcY|E
z&!QP7Wg;z)=tNYIRIo}{jC$R5;28WruHjs{hjT!8hdpW+^s=q(^)+W}6Zdp5++KgD
isVpo?N8oneUxM56j&d9R7xiA%eW-aR9}SCt+?v0Lj#}#g

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfsv42_clone.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfsv42_clone.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..2ebea37a37a4659a141f95115da8f6ae112323fd
GIT binary patch
literal 580
zcmca|c+)~A1{MYw`2U}Qff3006Kojm-OS7o2IPP+1CM6@dTAhe<;x=u23H0~4>=|W
z1_!oT3I|p&hybxB(=!f6`CnW2HOt=K)gZyx({uu85+euK5}w>#<z+ik8yFY`B6S(^
zp*ArwFt#lQvO!jZ%m-lw2FI=sK$;^jwIs2iz{r4sf%ydlgXBSM6u<=Ju>rAZWuRg7
zL+%E3WrVa8f(d4c0ZAD~1~$emi)wGrYi#@ilV@V!V5oaI_c)NR0K_=e&GF)3sE4R?
z2kC{`3350H!1&A%E+)AEEW`;ULGG4d0QwFT%4IFg4BLPLAPfm#5rO%4t(JpAnPEli
z9#AM7vw=bw6w(}wOwT|eEdOiUC15CD%b5fTWl#u%Lb`#0p#U1nFo%K6g#vXED1#M9
fn}XOdS7Qk|IiNHMg8(R0KtKUZBKW|NP!|CJtBqxO

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/nfsv42_layoutstats.pcap b/packages/endace/_dev/deploy/docker/pcaps/nfsv42_layoutstats.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..04eaa4e97a08fbd7a4d0ff48d82a5094e1f24e9d
GIT binary patch
literal 744
zcmca|c+)~A1{MYcU}0bcat?~=Mz<_tXW(LD0AmIQp7|ek#;9>sc%*SKxH2&Qk)H3s
z;J`L#N%P8`SDRPvpTJzr!I*0i&ggpRb610enqJd#1_nk(4z4n>=|3-eA6eeOz<8v9
zoA(jaCME{Pw#7g;$ZC*<AS}V)*n190GbiR{0x6sTq?Q?oO`~<ijDR#7R3%WH{|S^0
zqr`v=X~t9k-+=^r6Myh9@G>xPfMq*+^B4_4EJrXGNc@KaAd?AUHXB$kP;44l9fSlk
zkqD5RkO9bFSAdwgB)I@2E@o(KsAp(qsb^>jq)m+V42?|nOe{fC1l<QxGaW=gNe~N{
zTXqT<=I#I~0LI$}o;ixhQ40|!j||~?#5EP96_heu7qc@g1F}IFk|r|tuD)*M2uc|Y
zGm?HgFxat0tO2D8Q0m}dWUdCKid>6`lMNC~AN<6D(G5%)z*MmTlsXz17!sf<13eUh
l=BwKP2@n9sIEaCW84wSYa^SJf59EU|2!LW92tfMPZ2$l&Z>0bL

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_extended_query.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_extended_query.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..559dadbf49a38b884b6feb1648fe5dcf03c54b82
GIT binary patch
literal 1561
zcmaJ>-Afcv6hFJJ>*hz8th(yUm=P*|<Z7Xk?3!9w+Ag_<2{DYj*WJP08JT;vR1gb#
zFbISm>P1kWge*(^1BAd3dJ%<;EPAiN=U(cZ8FO`4y1QpS&Yk<azu!6Mp56Cri*|58
zayY<-FXy5!?q1x^hHLmt1`FRd2iL#PH|Tr2F6aViimmuz#<}R*Sk7MESdQ%Nv=ugQ
zE#01^k7w)>+<ygNcVw>HGBWHoo5N0sANP`o7M6u;Ap-cp=e+ro&<M4#d8f@CsQiMc
zQ!@oEuB`AOBBCK`79qa;oDElSN3t}Im9f_*$D1h}rx0~NnD4J@cUwxow&wuSH7yNg
zKK6!C7IsfX@%XELWzps^1{rwa%z#myi>SdkL=>S6DV!xe;ke2)Au}zkM^r5e{h{m4
z(5VR4Cnn+yy88kUQWI=Y*BG>ORjCi@BNIBXhr&?g;kd2{Iif~Y!NF@$pAO`}RotB{
zEu@vDm?WR`Qcp@q_c5dg!F=E|{luIG1+#V}2c|IlWT{xTL@5T-=d5?0isb>`*aC0|
zkz54VhgPJFj>grnB2-<IH6_6;cgd+SpasPz0#PINcHT3AN>oj-C^KY?CleSR4!UN}
zly&2bF|Nd|@Erx7(A+AQ`Pe8k%$yu9D8c-UBhtwP(C7bVaF!!sXsK(eyKHV!!5Jr)
ztc;16Zm5%{qGV2Kbp;oS7Ez3d9M-jA-AG_^WiAZ79g+2%mf2glI2ZrDWn$pQAiiXF
zQ!1vP<YGZlQQ=5Ed(qfiv#wn!6?xzeRF?-mzE6{n0D`#iJoI&ir1avE+N4IDrh|=p
zTLaHDoS{b>>2VN=&1bm~z!$RAdVuy)JQi464JYfNx_oOXP#?s4&^bT@L1CqWqXRE4
zWCKZ!LqGCh4&7vF8Xw2rnWqlB!SVhQs7H;hsB!!GilwmzHTHCMgrsU|*w7P_U|dKK
zV$5KY8bP5KkOOtJVp3a#W;1_C$$W-Ryg7r^(k%IA%1!wne&-!^g*5r|rK{#~z^-t-
zTUEEB{8^G;`}DZ{5W;)Gu14_gCk99e9Di^CSVx20c4SpRF7SX!tb$x%qcFO?Uayoo
kD5`mf`Wudg);o9he{FHiET68F(9U9LSA*CRrw0K30)`aBpa1{>

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..90276307f8fd1c03f3f56e3a287f5ac945a59d5a
GIT binary patch
literal 355
zcmca|c+)~A1{MYw`2U}Qff2}=-L^4AO`C_I5y%E%WWd4T%D_-8`rLuRflX~rJx~J(
zPyQ)t@vm(a<7NN(Mhy}I4FA%Bf{YwojD4;QjGg*31A#`^W#$#97L_Pu=9T0tl%y7y
zXe8<=B<Uz5Ybul_=9H!uYpCa@CYq}2C;;gsD4lGou4xT+P^lpgLj=$m5Jm=I2YKoI
z0y&6(6U;%P7L$L190PQe1K2@!NDcxz${A<`zo%cYYfy-Sfr24J6p+vA3G#S1&>kls
h4}_5c*d7zn7hsRyg4qN0xC78Gj|Kst$2Cyx0RUomPQL&E

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert_error.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_insert_error.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..976737f921ef69ed51487e05e882d25f6129fab3
GIT binary patch
literal 650
zcmca|c+)~A1{MYw`2U}Qff2}wYu^~6ugT8P2xNmWGT>lvWnd^4{o%miz^2w+57Yp{
zlYfd@{A*iXaM^$1<OT@=hJWcmK}HTP#(riQ#=f7Xfj}edGV_X4i%JwS^Gfm+N>YnU
zG!k_bl5`Z3H5JMdb4pW-HPmxc6HV216o7ORlukBP*R%#Zh)J8B;VRG=5Jm=I2OZaC
z1v!Xc3+5nEi^)GhjsZGqJ=j6JksJhc6wnh4lY(7?g8YLRoQ;f44NMt)Q%VbRGLsWa
zQWdgOD<N)DD9g;x0g4nWl;&j?mZmBs=jRod6eR-vpr8a1iceHxaPbCe&`8v@)d2ZG
zQz0>@C^a#qQX#b>v$&*KkHIZ3sRZJCy<`R-V@q>}p!lSc_~eY#<m`BeF_2J~1bWg5
z=rj;U24GK`i2ekJ`bn54p`pJ1vi~Br1_5BGYoK}(6pxWW6Fq=NfiN-vn`ouW1`f7u
oFcTrcwnz;gY<j3BMgfgr^#qxlh~K5Zz%D%jGZ)FFI@nwa045ln-~a#s

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_long_result.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_long_result.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..cf73fa4ee040a5991138df50444a45f3473420cc
GIT binary patch
literal 3496
zcmeHKJ!=#}7=ABz3Aqp?BEhK5Ya=2dkPqRADMI2EN*Xb-u+hoxcn-|$Y<6bNHe$+v
zg@u2>h~+g}iJ(QS?esT@S_o<v;`zS2-f{R3gc+Ex_nCR0ncew%KE8i-Faizehh7h$
zMwPeEPi}qrT8Eg*9EZa=v;l5)f3Cvn*pu!f>cDZom~OpjJ$%+Y{(f$6W(s~^Cu41V
z0+zq+!t$q=H^{|#C$)?`Uc!5sHK=XUxsyqk+Qi8#CFg}7b$BxgW&D?Ovb+13IbXl)
zb56JR3+5x<L*|?~7;qNMyGbtApe`u8+brjG8X7$c0Na&qgtCDxs%&+D#;Ni{Q0Xe!
z&HxplHs4Q1?@O&MBWEjQfe}u|N@QUOT4acm3R-07sOmL<K5y7e8dRyv4aQd644v{Q
zjP$b@@yCh0^m&FNR;hB4N;)XDBGAd0I-pd!Gd4yqO-h|r5~*0ldEznmsKqw9N9ilq
z5{>920)<vPxtPN(k1|n)e4|lZctBNQW^pH14ioEqmd7XynMKMAuWW+3*1|-#^308t
zQ_NJlR4Fw^DQMt^#$>Ar5S5<`b1&CX`0um_!kQ2JJ)CvnoDX+gxZlIuCcNwZ*Ej7t
zy=6|^Y;UyJH*x+l+@|X2HC9h6q-55p#&I~5>S?L_t5i=P`by@ndOB<#A3fchBK35U
MWJ9H%SjiNB0A^l=kpKVy

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_request_response.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_request_response.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..1754020f2fca07c9f31df34473fee5fd2754ff59
GIT binary patch
literal 503
zcmca|c+)~A1{MYw`2U}Qff2|_Z`>F%qk@Sc8psA=WWd4T%D~_&`qY8Jflcj5Jx~J(
zPyQ)t@vm*=i_8A=k{Tog82&i|1sOTG7(4Z6GIq)u1p<wbC{E2uO)gQ;Qb;Sx&s8W%
zEiSPJTa{VI#2^H;7le@k$SOt_ou449_<q8y61AB86J*W5wpEN^t9~F`r9U$SXoM33
zb0Uy(-~@SxMfg7$Ffb%R#F&u9k|AQu$YL%)F=+;%5Cd~=D##!p1=0(ol0kBEU^y0`
zoFR}0q?4d@vLULp5mXvVCmW$k8$+d`bh5ECP=Ghs)yLI2M8Sk13dm#i1Vu(OFoc|d
kJP<|(;K(o$eFlz<JFpOfM8+z{%l`9?8U%omp@AAg0P$UIK>z>%

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/pgsql_rt.pcap b/packages/endace/_dev/deploy/docker/pcaps/pgsql_rt.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..764f399252c93e3cc667915f29dbccf48be5144c
GIT binary patch
literal 3012
zcmb`JOH3PA6o!u<z+l|giA)XcqNu1*C=m%5J9eRpQJ@vcK-2=25(znjJ<yT-VrHN<
ziWIl$3#mv|B`>;5mq=Z8RbW{)fYfZNs+B6GC{kBlB$h!?Cl&OZJ2Q?45B8>(t{?Y$
zzVqMz+&O1{{qg&6?cfCCb#w$Uk3T$ec50`;33&WY1Hj>gM)n2YI2ZvKEZ&Jgr147d
zHh_&r9$G`5n~e(n>#jZ5c6b56?u@vdcFyI_?iFa>=5RQO{iqHbfY^iU2D>$shx~8T
z9P-t>r*m+eO?-p>53+|b77YvC{l!n1?l%p#u3JTZbI#*&9G*p;Hcc~eN$>B$I$nIr
znEjT_He{j~l}r@IIe&TaJhA^mb}hZDC1QWQWw3QGn$e3}s28mCeiv$@9I;{HL16U>
zW8Sl5wjs02taqG*dIxF?Eq=yK7%-r^vA57z*Ga~PFEzneD3peU&|L9zVvattWRkI}
zStvqyZ~!bQq6`^jJ^^t-6=noQ)P4z>OhSqYs+3MeQ$kXojU^;8rAEb6EFG6pb1*ge
zR!F-Eu1__=I|!v=p>JsQDKm1-(5ENIg~{2<k&%J2z9Jo_cah@8(a=!(<7YCp`Mo-(
ze!)x)8v%4vx6o8y?v%$~k$nnKB<9nbwVA8`GSNR7OkK1OMQ<as@<f%H&kMDg#bu^5
zWH5D|+o-b*lV7FtH0o?Q!_}-X{B2?u-Y7F|t)Zpu^)D$E)fHxcm*%Mo5WBq&8>%ae
zjq7^w1M*j@E6o0`JG;MYuwO%Vtvi;_G2KJQbgv+P&3q$hT+$n<qnH1PF`xOXd7&{)
z6-HyC6|BM#`|Ub<yRQ)Y)Q5&%JP+i>8hVj8SD0sdANQ~>aAJk&zRH-3mP}KH(U{{T
z)N#I!u^%%NE*a3gW<nmtuAgM=9c0$3Fg$BxkBgQ}Q-vuT`@dBf+Ven=t65>Xd1j<!
z=+l$4j>&mwt}y$1bV$n;M!ElhqX5eoAc@C;hD8aR=2<^1c#QzMsSnZAO$=Z^#M-Cz
zE*4-fgOsz$cp!E$<`?6knXn)P#CUwhAD{L2#e%_$v;O|xaCjEj(UUk>wgDT}!EM>@
zG1{Hyf)QNb-R9EvhKqK0gsS!62e`XE+8syxn85Lpbv37@cFU4ZE52bt6(`heLWI$Y
zYv($~hOaYNyOdJJIZ=*c!w^*|DJqaov6YucaYbGf653Unw4%<*xJ)#!q(qg4j3~2)
zqhHXD&1Vrw=6=Ey>npgbU<-n9Pj63efRSENM1|&}!h-sKT9%erlhV2tUD~OrLMkrE
z@n|fanoY||Y*bN2mGPsj)HjK`Z=_QqB+@Y<LA!vfcrA9E_A?(eoqKWve>99zVm3>4
zZZ-BqQy4T7qn(Nk7uU7pHrIp$8z$z!i_GAJ3#Kswjp}5>7|$LM3a?r+sU{2=$u6}J
zlbUXuA|}L`+VOhFtej4EsG_0{00q1Ew+mMB4>T--ebYV8?wc2kVA{#rapTGAWcSTV
zIhfa-EwxM{r3dT+encFAM;3hGJi-^ij5cSloTK{h0h+S)(pz7}L?2D~FXQ`j6C?b{
i<;jjd(3~gXf1>c3-Ge>y9PfG?o#_0$+4&L)_x=aXv7EmE

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/redis_one_transaction.pcap b/packages/endace/_dev/deploy/docker/pcaps/redis_one_transaction.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..8f8d21733eb9bc1b36e9ca73dd7b59f2b972b999
GIT binary patch
literal 233
zcmca|c+)~A1{MYw`2U}Qff300rgkqRF^QWY8OR1<WWd4T%D@o1UdMsKfvvZs9;g9?
z8?+?e959RenNi^Nut7qA;h!f^kdcFn@sNWi;~~4JTE@IwDrUS~IhlDWsTDxB2`^Vk
zYH<mWWys3~L?A1TQ@9!YfOdf}G5}lYuxAFy$_81Ol@f0nv_RG!FpHJ~TWNx9rGqBO
Mx{TDEoP40^0Gc~89smFU

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/redis_session.pcap b/packages/endace/_dev/deploy/docker/pcaps/redis_session.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b848d025c73d1649bd8535aea05028cea67d2d24
GIT binary patch
literal 2303
zcmai#T}V@57{}kUMy;cRF1#?QIE0N{TevJKO<P6Z-ycHiO{<-pv^LRYWkd^ag6R9p
z?4qLU7zh#3E_C8WK^H;ME+kNiyr`R^$cXCyJbPa`N9**$1M|TCzvp+J=XI|K`yRN2
zTd4E<w-6fsc<g((fBk*8h~P7o^?1YvA@*g;!XiBL;`y`q0#({y`mw*daV*xhwKH8h
zNBr7^hnh#%a^kQyFyZr8dG&Hshnd2M<zD@$d5Rt_^XkV;uTH>o58VRa;+h6rmAy>B
zbWj0HKc@Wz>#uHdF)%m@j1qLou5DiZDPoU36QU7$RMx{D+cNXm<C2Okcr>{XeVSv}
zs91L~VxxXEOdc(E4+4DvXe$U**2AFH*(=<Cg#yX`Pow|2463w(+{Nn6WRZNo&n=n|
zNo75pygjpk6)vb`sW2A`-JBd&$+K#;oV%D6FoAg7Oju_@q_PpWNCQD-JxprPUM14m
z&x#}+y5SIF(veA0y_TC*8{DvWud%DmY>%W`lL;fz5@}6zq>PAx;Ty4JJldLQF;X$p
zIMJTOr=zWjsF6HkbVlOGu@l4Sr|qCF5Xv>Jp92|#&CjTQq<IMD1KiJc)sHWae(HG%
zSHQgOct@<Do-#XVA@ML~#^cEX^+7}z8-b&;9)1fev)6c%OB7YUg#o;U2BrqARA0U(
z<kd&va{i4+v>=YkdN{Q)vyff7RH}4ofXfi4?og?LUM=U#|J$Wnx=8HkTaS~>b(Zlf
ztdtpoOqX3Ia97I(dTX%%W02YWsK`mCoMld`R4LO1ndf$y;2=`({$EC7dx3SB%ng>A
zddHqa=AK=Ku))C^T;y@cyx8q>x?et)>7F8U4>B(~HLNBR8mH9h_p7jEMAG)Soch1X
z{V!G|IgFR+|B1bSB8A4O|1U`0^vfd-W2LC9hc~Msv-q#Wc!K_4aq1S;e_aWs@-VPO
zaa>39r0tqur7#FW{uHwXHj--^a!vLYix^WxUO^<!$SNzcuEcWxz9M}7=u9UcKl^m5
zaJgK0_zc^9>fdX*x)Ns}yh1|W2GZfj=QjH+Qb;+NVfaiia`MNAkoE7&gLqTl5F0sE
z<YW?Hlaz{;CKE6jv73Y|DAw6TBCDcBVkbsIWj(wM;cO3^%vVThGSXk&T*k=dYBGcj
zSCm`+n|!CytefE^w3LO~ReC|FxeP*|>_TgMDBW48(yJ5l$NCvgLU&kbo<d5YPY|lL
N3lVZ{&!i9*`41gY{RjX6

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/sip.pcap b/packages/endace/_dev/deploy/docker/pcaps/sip.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..7ec19fb525be299140dbfde2d0eddb177a31cf42
GIT binary patch
literal 6632
zcmeHL&2QUe7<Z#;sv>1*j2&9-@KRu0?9_Ji>ENmPY^`=l8mC=14%1ubP3z&rp6ztY
z4jkaXof}6!_6INt5C|?~H#QDv8aE_%KwRK7@g*d9UMFeXq}58>OhwwGKB^tRul@S>
zJkRfaetz)v?e_!BIMcUrW(-a~zm;5DyLOU!3@6n6Ho@eXv7hdx=a{)u)enPA;05sK
zPTxI!ckH{V6H0MaspgTRTars0cTV8Ld{_(%Q7OvDc%&-j88OU<f~z`~dS^2$xiabw
z6nSr8YTd?7ZBxFP+?<cBFLI)gh;sr56AQN4kkE8)Rf)_bc%Gj|uhEBrTfK*M?{Plm
z;tg2{1*@in=wdn}cUji?P%w)PgHv)661->iZv~fBat(e*omYc%v*}{ZmAseS<+-8Y
z1$=`mnD%vS*BlAOVbydFX}VmsZ4n7!%QAEgySmw&acWlo@)BuoxSJ9}NDya3!BB8Z
zhRLSPp@>NTlp<2fkv>+Tpd)jkpe7GraAh9B+=h%>HQhupfC^Qr<(c$q8AU@uEZeTt
zz?Kw6+faJH5^c+D8tqV!=D;720}Bv;>VETbK*A3h$bo;ppz)`9;N`%%$;;g!!!mhP
zwcC1g<9{9R6^GbddIQ2Ip@L0_dQqun7r2I5yW*I29nT2iSXdA_k>}Qv0_Jh-%~)hz
zcZb6Y@#x?>`_@UO1Z79vZxq+@H2$9A`uA-=uH)QU+{0A_TuY0`4O6e$h<J4?Dkisb
zmuJZ`0C0e+^2&LaB2BqK365pjuH33wP_hS)OIp*21<@R;!?a<T*QIWyvnZWiWKrf)
zo<-SoF`HjvQK?*2N=21L7xJo_o`)++u~1^sN;#LV!dWFhuc+00g&q~?zhbGX6fUu-
zypmZ`)CCr)D;YIgQ8M{ZP;FWCbw~~9NpBFFMHY59S!5H-z#4HvL2o@=ehYFBh{VOl
z8!Xy1jT(zIvsouLX=(&!*~IA_VTY>|?6z#e5ju%QH60t~28#^6NjQh-H(|U+qoOzK
zCW{;cvq*1hMyp0II}T71S0j#Q>lUS_{>{VJJ2M(E2yejPR-=LKHeD?&q@U|gV7QzP
zA#`+lZy?al1N)PE{3nXBP_RN8rc1aow%xWz&C@h1x_rMgLC&WvI!dN*26U6MY<&xB
zZP~2XQ}8Z?H07r0<I{c_BO#LDg@_nQM*D}c0iqRvFdex+X_#^8hyli(<s(TS<pLYR
zR<tMWcE}jUz)oclYtw{qc_H*RIXbc4a4m@r;5h-%!7{|W)}d-FL$De|5`kbSZ9jVZ
zB(n~bP2F!EZCCGQ=+?awp_EN2#-r`INf)wxRQoodGm?G#fSdzw+R3?tZsWZ?^$7hA
zAYT391d|Uio)01(h}R!cLjUt)KcNR+nz{(ovR4z)>y7qic_EszDSZsIO1b6u+F~q|
zS%}8lc(+!h69`&Ad-p@T;Yz!x|I~Ipk^Ga%c$AOK&Qgj!6rCS4)~*ojP<mSqC!%~x
z!!3u%LM-Ky8?HQEELAR~m#$=&^683FoSz;hzwM-Y=f@LF1xlE@-@G!;-9JOixO#0z
z8S|61{dNia%b(+#E!$1F*Def*hkmC3%7Qlc-R^s+Z0~$D!Tbj3QumvO@Xz;Op$MyA
z?Lhd!)WqmCPI6e|2()t_iO5MF1CbN)ZOTV1a=bmVD{^8Tk>g>xQ{_<dPT!hf6vzPT
ze)F;*RsV&O_g^3Q$$RY8$=7>zb~u%Dd?J4Ec6!h9`sC9IW*H<7b-z(y$FuccDX_o4
z=LdFt=B(BO_TVySq@a3xV<Dpz<7+OD6RL0(2!?jl+g}g%S6I(<&NH1Oit(qbbK;3e
zqN{V@FnJU@M~n)Q*!HKT*nrL%V%{SYI+VHBKAT`PU~TGt^O$?({yDEhD(%?6)03?c
z2_4Eh148HMHtz$n&e1BJZvgTypC4lipmeDFjY1ws81U2FsmJg7IX&?5)Y>SN4&iyL
zC~Ofz+6&g9l+FN~_m$3m<M%}V?@FEcGpXZ!2H(+$)2zC8W{gpxh^hO{E9CsQFVaF*
cYdZ>Am?Zn{6!wrh0|~Tmsq?hc<?vePU(o~MJOBUy

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/sip_authenticated_register.pcap b/packages/endace/_dev/deploy/docker/pcaps/sip_authenticated_register.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..25f10e5cf8808e92f0a8571d59b4a9809fba81bd
GIT binary patch
literal 1654
zcmchXJ#W)M7{@OuAY>^+Rf+j93q$PQoqc}ARSQk4s8FINEep%pxhAHmo!U-mJ25fv
z1(?|w5epL%5?R;~>cRqi0hWG&a?XpCwx|UJSbBzg^qil&|NZ{Y;rrJwir^9$f5*oF
z6vU!G_2KrL=TqQQ5ex#L2GBRax9^4M?Nv|##r~sZ0G>==li$586c3NC-<avo^oy?^
zY^_z6tMx`@4W?n&5upbAK2L%$+gF=guwJdr5*3xCjgUFx)$ICW4Pu+9*sxTr64y^y
z6tukqyS=RYD^V9?Vk3<rP0=-G=(>d_tCMb=WF=`SiMJhiD{s3ShuA^}nLpis&dpfM
zGkg|M8kD3)eBp+Ybcc01N_EkJ)U*g8Cb1RWFlf^>>HH|Ak#UNM`Z&s1kU8+wStgF`
zP-Gyt6Gq%)0W*Bt44Ae_ImK+w<$K*Q;i-oSLhg=-REmUNm0{L_d0I57^Bo786prN{
z_T^Eg+~rX#YdcU>E%dT>oP-A~3**Rvi(!kW8SJGziP$#x<gre2IpM6c?a8P0lFPj$
z9HgCz<ICkJjsmeCn+W@a*e3C9w5jVT(74WhLXo8t-<QjAm+kaMg$!#HZ<@%osrW(Q
z$!PfDynEV>qf``{HbYd`ux05sZ4%20Z0`FU1(t=G-wfoEbdT*ROL6j;CCyYwAg;MC
zE~G59#N{2h%9A+fs#b^98mzVBh{Fw@q(T5Fz*8v}l$E5CloM`#ybK-+-18W+J>)zm
zys!$uJTRx9ea-34DbEQnIIc8e7-EEABiRq5)*nD}_Wk}9zvntF;Q<eKdDF9yN;DDJ
zR!!s%EaeR-{Vgy4l)|CbPw5o^#55ViV2(^^eKgYAJ)!lNo1e#83+Unfl|RsVY{rvw
zVFKoJy*RSp2~Ubc{FTS6DGO;D2O-ONQ(0fDjz*C%3DQlXot<63G_M8&4j~2U$im9d
Upwv((wG7|Xh<?H3{XabX05mnv2LJ#7

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/thrift_integration.pcap b/packages/endace/_dev/deploy/docker/pcaps/thrift_integration.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..c90352b31cb6f90af6073539f1bddfb143c9b8a9
GIT binary patch
literal 21462
zcmc(nd2|&;_QyL5AtYgmAQNTKGdzY(ksUz<0R;@ZhD8*R08h!t7D(8a@K6-P=ouJ+
zAO4h?5kx>_N10)Z;8PSGg@BC6rhu$TSWE(%WbUo5?)0s?)x()Te!ra4ZVx{7`QEC!
z)vw>f+`XIr8fisa&QDpH{ZDg-J>75RH}TeE@UM79!qvsHI+ix-XmyOStl5?ofmisa
zK<J5|S|#D{+7MY*R@xGNZS*5YBch@zL`1~KHHyBRj;}=n0GTxp>dfgiDKiiX|Fn9>
zr|H1GYr`Ep6S)racff1|W8ft{Tkf1knbPwv;7-V@*6iET1|To}kcDoI7*5vzQjT<+
zfNmzvpMmoPxZovydL`dYIm9Okd^%B|tOzRtetT?2aAHR1sTo1|XDiBzctjL&BO|&j
zKnL)MHV4roT;Mwo>7pMz?!!p}jxLHB6;aC;Z43jbGjnbX9Y9v1Im}G9N%Rdybo)pj
z4ll}8bdIR#8b-8b79BuVG#jSA2Z$c#DjJikS2XpK4<`vYw^vbHv@Q&wRrE3)KvuK|
zRCI+&H1e>{Nlo<OB=Uh9Fq|FLC`T4<1r)BQ$)_p9DeX=<GFMN(T;mx|n;n!xd}yu-
zPA_<c;q-clay&jOm0ZY~fIX$jQN7>QyQpx^2SP(izCVw9+|WZO;A>958_qBfuBA-K
zc)l>y{{V0=7<#C1beMktrn;`upQX&O?Rf#XUqW7Q4|VgVGn_X+p&aS<CAyh7Vc<Ls
znemc6bU=T;Znh8h(C%&z6+W_u#$gYAY+UB>(V~k+TM>I|6zp6wZ9}Hm`o|gLYR{XD
zkH>?tx0$-h+x<&7UbfhWgFUL;cp|PCFvhT&u|<r7Fp@e~hl6w^d#;Yh!(8Pn#yHYM
zT$?)><HqxSIJ)sfV~rt({evU@$QZx$0Ub%Miu@rZ#~XvOx4pW?4ZhQB{PKPu4z^cX
zV>IS#><Eih(HBNiYus)i9ZA->abajcqRDtMV|?Ld9}aJfCzrM=B6b&eYP^dvzVALd
zl3n8giBRJ{V4UkY!rU5{F~(PZ<HJb;&h6Hi7}q<d*SNOQt7VP*K#g0NjE69s2Xd$}
z;Ux0OUu8JoXH$->U<;^VUz5+D8BW?M%8@>O{c?TGaDMwU<q#i3u7eEcg_D%y@o8zw
z6+EGzWwX?^d?66ZP0oG;7pCDX%fQ#1bLRlV+!ssTAmfD^CHFQ5?qb7PmH|C2!(ko<
zrn+|<d`g*N+jB8+ab0=OGQq;G^%KL1dXRFYTMKkEagtBQTm2w2Uh*vK8>ilDd42FK
zgEw9B{fY3AeOBCNcNv>G25T5=VOyvm`qdy9L(RNIxi9p%ZUR^DDduM0$ha=vWz4)O
z3(o}I6=N!{Xl%P4V_Z}IM8}ZxvkB%0I~D7C|0z9l(F;DDM4r=~;k0{=a%AoLz&vj@
z`SfErorY45%(dAs*8+wU`j&Etk0IA`hO;=Iay&lR&)7O|`9a_JNi`MD#X#uhkJ-a;
zmJRzp6JK-o=qZNzz!J)Yj2GuN{_Q`3n`+qinXvCO9p-sps(awA*_0W!JyU`EHRSc~
zd%?nepT}@kwxS&A_BFbhI8A?yw}wDwyyU(g6o{uB;)DCXm%HzUkKFf_@gBCzlo7%4
z8ENCjVj<(j=8sNEeJ&^(Kr#%bhTo+x8Z0PE&r>Gb4Zj>XPXZq=Dc!r*6e{frKTkA(
z&YCp-R$W?{Ze>i1|A&qs%Q6paFPcp2oQbzmVHmum>5zH>9}c!EcqSv;>g|*__9>_0
zxGtK)fNF{Jj?)2UX)Z#E*MqqC4$CcZ4sb?;G+t7C)U!Q&ICzIOSQF<<oM1(Wb0O+N
zynvTS5XC>tWXS%QjxCG7es1I1_n0!wI2&)Jfj?d{L-2gA4+k?0(lX!yrY{qFZCA?}
zHDTQ3XEVo+42~F`Iw3ex1b7DqRwtqBIy$gD3AOKmNjL=o4tZ{K-AO0`j=Ih(75Z?J
zfYVtEz)ylOjX$TG&aFpBkflBarEX&?^=O9kc>^B~y$zg%EfSY+7Q>0}OF6P~ZJ=_e
zmC7M!5^}N`PWo=jk-1JYxm?bAhI1l@a)?hNnMs$ko8hecf^s}QZIwE^oDr~N;7*1-
z?!Hq!zAptrbymK$8-AJTn45&JMZ>zlTJ2|;MK!1!WW2Qf;i?Y+caPzi6OIn^5HQsp
zaHI)khHcM1z-<C~y~muJ_YA`sR-JOBTN89Magr~_TPctkFWCzEwAe{G#0QVLN8Ozy
zeB?1#5s$g#7R|AQ(8bE&N0f0e453CIHi{16Q9TB#-aDDe&eGk+sHQ1PmvHdNC|4C6
zP{ou~)pAu&Fsg~isH&{SF_@k1jOt`uIUO$PRjs+qhoh@b=BtXu6;%zw5NcJ=E}%om
zYIKJMPzb8tr!rU#p}LAut*bW{T;w(fpK;KtqAF8WSM?u^>f=?Ys;p`u3==e|US~Kp
z)m~xm9h*ZR54(}0FYBedC!YGq(gmS(MJAtkhI253a%8R|zg+DZPLH*eLwpRmQW(z7
zEtKQ&dCrvUjeNbAb{(s5E(bzYzxwzioMgjWhAH@(+xHk|%wo!fjF%5ByW=Www;Out
z6j-)X9On1HRJXvScPTS$du|8rHOTAjrGkaK^$f%L>k!J3Zr9Mw#2H!;Zw-XZc*$Ox
z(oB7H;q}2@+Rg2y!iVho)-ADwaTeZa;ZKCv`D0)hHTH@+M%|;J>+Pp*>@OJIMX&jA
zuu18<<vZWe6|S!CX-4<d2Xq)YOGghatBwz2S>0||nd;W^;qbaxOS}C$x_D9*3ujym
zDKLy$-8AL7ro9-dC&FS-n}b{3rHt<7VN{oJu&>@$b&2k3Mt6w%IL2OcMNr+QP+jja
z;OeGd(__!wM|I^a*&Nz~T+Td>bDDBw?50q@Vw2Bn45!Q6lp}qL{c_#7uIH*%Ksm&R
z=9-HA2A4(R4V{w{M>!s!W=byPOhwK+MS5?&YmUOX5(s6S{%9_)Nkea)imy3+@HE4$
z@I7Th#w!IIn^gqvi-z7R93AErV5-|-{#nWl+nz51Hx}}Gd+RhO@2?E!{neBs-D1&=
z;Y`E2%_)wzf{+<6*;`W&D?OU{U~ld3_Ez+nCVQ)RwAnLlVg}Z*D!$`}Qo@Cu0smeJ
zHrNr-X&1quY7wTtY?R-qOu85p<p<r=<vZ2);b1S&<uSJ+4>#H-`7to4Dj#`-4k|0Q
z5oWNJNj~b9&Kdl<4~Om`w+J;D&RzQLJFe1JuoCbgx3^QdoLUTLNE++2$uC!LhSUCD
z%8@J6_A%s2V>mq@qa0ah^l5F%wZ25}44cm=oV-Bji<&!%VA4&UVLHC%?BaZe`G-A}
z2^sUA+&2F;;1(M?!*tj^(;a3pFx7Q+v@&IeZO>xhz7Bc4ok6g0Q^b_&oa_2Yfo`v(
zn~C!raArbgykuvX`jPteBCij2hB0nu5I(Xqi2H(GspGMPm7y`<=Bj}I0zcRt@WLVR
zijr3}zIlY7QqeJHFrk{(q{Wd1hfq7)D~rJ`PQ@}k)XsDt4t5MZ6pGSN)_)PICdjBW
z9@&P<*fYMfJ<L|FDby^66A|>`&>iO%C!68CoIp9U$hlDD4kn+43}>TyXDU|C&JKRL
z!VKr$T|PdBT;DRB)-xza)){>cn{w5SOwgW%^{k+9@&lncSB5Tz1!C$XGw?NM*Y{_b
z2k)dzsCoYCTiyEscZs2s%z#cZ!(k2urn;`)E27M>?YRWF{UNWnlL!`el2Ht2$S0H|
z-TI@OiSsvx^Wh7WLwpi>pDhe$>QKt@_$)Q~Y-cz>_o5u>v(&FXXBketMwCN*47si|
zoF{ryj>l(!Dc8Lf^!0gnU4>H+2sIgaY{c!Z&#nyfg*lW784Ehpp7%a*N8Zl*>;+79
zeV*$^nPJ;=ByiW6^7dmmR)BJ(+d6bJaee^KD^L);<VpA9x>qTO_~1!5#Xad};@*=d
zT_t>0+beT)Mj93vzMI@V7La9DSsWg0c%FUzb!96$CLUhJQxASk>hKY<;xw!fXT^yB
zR8UYL4!uGqUxI#EVeK*B7RcxQXbrt);y!+`VuF<kWV~d)^n~YWK2M#tz^9kFr9qN!
zCgj84O7kT+pSZ?69vnS-T=OU^8uC`M^Fl;Bul-zgAV{c_9@~ye$RclnK==Wt_cqlH
z^JpcVb8(3ehaL(pXAr}=eh1~qqFjXHZZ#D*mEjE9NI5dsR=-?tF`OTMp&a5vKhSb>
ztz$T&AE6wN&m~ixUrErL$<l)g=V~Cd^uoJ^xM~e=sAu78&cU>oVYd1wWkSZQd%ud^
z3)~_@GnoYodzQmI08DjV?X60gVcW9^xceZl_plQz+$4t>PW=}tN4o7pHxp-A<pgUE
zWX4NwwwVq7NIAp@n@PI6*@Ta5CgMG5Z)hl3L-+_A+6nwEQhv$d>EMKMu;JisHombg
ziL>HyyTQ*d@a7foqTvUFrGt=Kpobo(Lgm3$byOCFTcC|q^k5kid^mXPtOvuID8aB#
z{ujZ*AfyI+UHOE?uJo#od%vnw*%YjERh@HCJvPM(k{sGm+yeDuIB)B>&#<~HRbF~w
zRVS0rGYlthHZ8Qw)yXf{VumwY`H0+}c<E!vwT9tLZf5kUV#;;#4!xsv{!-yw3xrNR
z-1Q<ZUPDKjjjuVozhQNqxo;$8LdI+RZWX@*+)IXzG8;O|Y=_wbnCiNU`8{QZZO==<
zoez1v9YwHk<F#iv1C{kD-R7g4iSrh420&)KWJh^2<(7{Rc9gDeM-e`<qlj-y_Zb_U
zoGKo4+TWG5KmFLm*nYB(j#6&htrFOJKTdE{f5UK=syEl7dfh6C>d~8Gmve&Q<XtuT
z#F>1~F`P!quC!;fTb$o)F8qzY(*FJ@>Jz>m2rX~8XAex2Y4v8|YtBlGNYa_XQp$vy
zU;o#zwGRU~$FO>{VD)A>%&NdtS8t<!lqo%PfQwH`ysKBRaP=lJoFe_hQ*>*OZYItg
z;Hay2Wk(+$x_X7re_p+d7~9n^(@|t4(e|XWTHMrofioCp2rs$Up2|}0P-OK^it3?l
zPj|0rwka7C(#AfIb8es7F@2|IjDqhfVuf=V=jB&S&N)%w?7brvV}*dztS~~G@tbWm
z4)#FkGu`5{$TwrJ?7-fKoB<4HaT(=!cFL=C#*uSn2XboMQ&FqoBU>q_d@djt-YB>=
z%=;BrGt4-aU-T<)4Y86=4RNd?FqXR7kE)Mk#IDSVg89O4rFyy+j+OT-a!MFZ;wtKF
z&%5N18kTcf->dtqeUfry_SEGKbE4^-mUFr>oFYC~v|p~jFr59$TU+8o?g7eub~7An
z4b3I%gFeGeb$+RCMePw<!DkBRMj-U}n-A5&x#sTy@=EYE?07hLrx@llEhrN*-blYb
zC>OW^zKiCSz*;DAnEAj|*VX>NQD)fo3;-7&8G5>?%|f?Z4CncmC`Y;-MmH1Z#_uay
z!yq$WvM&v8nL#<k2m4ZAr!Uz)vWtr6)+s^prlN}dDILCBh=mKENHh{PeW0G6f9MT5
zp2r*i=&yHQiCSX*Yrq)>RJ<JTt=T>t{BnWrjlY$83t!#4VSU}Zzq(HCdFui5R$}tb
zVL0`_rQWjMHiz~DH~%jTCp&_2WF1Rj{_#%&d+S(=YZB|2&_K`C;b+Q`K0TRS$SFn6
zP=@oF(&vZ|&E;|yGMpo=j6S7IF5wfpU+)LGF$(ABKq#i|&Ev2JO#Pq?Uvu_uLSvmd
zZZc&;#-Ho23GW8(2}3_9gPN5&%-X<I`@zKClo_@?PXJf>T4<hNVf`C0oWm)UBi;6(
z8`RC)S6t4A!1)R?<0bdi=U*%PiuhnZ*yZ*E!SUWzdCyqv0#oe!l>hs`itclSsnWhG
zrYhaafGQm<|2lhlwO@EZuTrNbKAa@r=vBf3vv(r@zg1cR>C`oOGM}ci*TAie`fEPL
zj}6!=wP{jOyF;&f-iL!#a^GLt)%IIU_9;CIMp11`-=?G3EC160F>P-x1lw=8IklSV
zwre;0aFT%I+U8rhtHIVdr?zcd7)7<+u!xQ#Yr7C?i!0D$i=*U=mHZyVsr8f(Cz0oz
zV>rE)dvjU645;2BlTQ)DIX0d3S>%_iOEbMbnabCOh>s!HaE8;4U&H8=Y0A~QmEQ9Y
z?oo0T20||_$bT4iv*8@c$JXbbBTE_P=HF2!WGsyOuJkx?+w<p0egv$A2<IGm7nth0
zYCDWF!?tI8;41y!X5l%qp5y4d0NqZY8`RBnj+AqfTUWI3P7p8L5?w57{2v$i_~1D*
z(m6+Lj<WYNM>x-`|MP=tu}7wXgIbf}`jZ|f%T&nXc^_P!<&g*VEOGk1O*seOcj{TZ
zox#oG{K-O}hwdWFSa49Y93RQnb86IgWp|sh6fvC0PkcD!eOq}=>bKE--f2!b_8Km`
z8`jA*lTR~-lcPKhlIwPwU#?jU=i6i-A49HX4Cj+El;iQKrR0jlJ&F5hQainGTzFmK
z6v3b3t<Yl<Y!6f4z%}FcjrSSm6Nf1iYF^Z1>)2A@PB!!nbc}TR#x`K8>#EBN$_(3{
zlYv_XdA<8xurTi~hSTdB<w&<ObTe_PJzUXx1~TI%`^Lcf$0&#RVBhHB_6^}9`$jx|
zWZrM;_~6Lkb67_FTE6{3R+-pRO<*WB`p*4yD39_oQ1-lq%6FqLVU+Xl^WorI(Q@S|
zoDO;8pex&-b%VB0&S8|}o})v_>MZNAbzB`q8Hb9(*-C7$N5B739}ao9mhW;pGMt%T
zP>x-~adlwU-!%F3WH@O*P>#&?reCi845!jI${{|6TxS^0f+))I_~6qO@6vGV^I1o|
z3#7cSaEb$=;+-|O;S%MaO65o6YtD{s)k$ZzZA_VvvH1JlN6rBELqivchP4pwFgpQL
z-3ldzlo_@?KLqYs$m{I_f`#iUnc;L9MLE*#EV`LE?*OM4WX4N&f#eU=?_zj;unV+z
zyMXYKT|j&!JYZZJoX7Bkl6x4*Wc?8o77!&5D3j}kZO~blJQp^GJs|$<zAlORbji*D
zS7#)m9fivoIRK)!Op=os&NJWnaOjS3!~TWgeASwA<jmfJqT&Cs%)298&U*~!z@3yM
hbA9QTtHz^xeZJ{HImE}1t0BXwzJYQ)KEH6e{teM2Pu&0j

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/thrift_tutorial.pcap b/packages/endace/_dev/deploy/docker/pcaps/thrift_tutorial.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..503469569ab05abdc20305dc3f12f1ac72a59f7f
GIT binary patch
literal 6363
zcma)=d2Ccw6o>D0fp%tODJ~D<f|M45!~$ZKkXW!RYFjB=F-XDbblMIKGgziA%O7A>
zBuX?PAwkf%w8|=0wrT=VY-AA%$fnVliXkzLVnBhANT|Q_-kIgzcjxIOmofwMo$vha
zd3WCQT*vMY(nN-cJ$ibqzg-_QWtRIxub70Vw9>F93o+rJ%M-+eUP7!A!bR(JS#ER5
z#l_R;U2SPSJ-5f=|7H~Z;7U)=bh)zJ<F^Ed(7$B>K+FXiX8SUkncIB2tgf+SKe**>
zIeI2>W6VWhK8_l+*mLZ`8#0qU%fW45-EZ{ww}(TX{fI?wO&U(uF`2_|?c|n<^A$Kx
z!-W?6Og0K-j^ty&XPoS_+9h0gd&ZJrxE4RH@J?z3Zx+koBtahpFX$Sb)?ycYYrX@=
z0LLy!y~%<;fYqIt6_ml;xeq&WG?n0hR<Ec4ofaoJW5c@+91@(OO)%Y8T@8xJGV^q0
znLL*{i^EYxwH?_lSK&C1V!v0x_Pj36<KWN*K#Ofl{5u>t1~^4FTY7847Eb`9vFy@l
zW<Mk2In-4MwJTMqb3gKmS)kHl&GP1*4jc*<*M9P4!eg0<P)8S%VlTw%>II$^=_1rn
zBYnM9uECLZA=1sMA|3UyJ<@qC4jehsT)L#;N^K^)#v+{xysA0pu#D$OHzU#;iYDQ6
zX=_e`^8#wn;z;MMd)a|Qn&t6GO-@pzg=4`HZe(daTyB#}Ppo(^X}qsg%Jn$j8;G|9
z-e;30Hty};;uW(&rN!RU?_1%(F~Gs`&!Z6Yj>Q}ECQ*7=bK8U>YRJ=9%SAZkj=ILu
z0gyeXlkEbh22@%sTebJB1IGXdCx;?Sp?Wa43#uaxRiVIAJjLgptLX1X%twYuE4p@q
z9-Zb@cSU1g+#pxAqAnePsIS8QjLv@LR<C#-rD(DJoQ+c)I0iT+HhX%j-Cj({!0Ys&
zX<Ua=YT(y?lS^^nR}pw&s_7WG%`0YrNsE=Ay*bo@L(}o3O_>7E4*2UL3#uZK5S{?$
zvgY_9R8URNXpf1~!jg+&4@|$)h5MeywBT3SlsC!Z7~mvKhthS-$AoIiSKKa*srx~>
zf|Y65gG}k3AbAX^!cf{9_ja$ChX`nKrq6Z!=)j>dD2-=oa$sr>v6<=8Xg%K=c+6Kb
z>jI%r#GHeBQA<sCYo1(-Qz=Kf1#mu{ly2O4yT<vJ+ks<%V|S)@JvL{&D3Y8HX`C0{
zE!X0l3y^bEnTWXaq#gF0@44>4p^30NCvvU|hJE$R$(D0&iqway&73PxOU=1WnGMc4
zikxS{`IIi_3p(dPva`f7z_B|ga!z(Ob51y4(m2<yk!x|zGm-PgRI~BwPJ7O$mN;<q
zvynI>Lcyg`a_vjE6Sxt=P^aNfx^_0BmYVb2sd6pOXCrcMg7ZmT&IO;?o%iKCa13zt
zIa{Yi!Ws8LvU4$Nsm}FZ%e6S?Cggk|)oh#sNB#J?tT;;?nvKNAM;@I&d~Re}*I>Ym
zxsN^OZjEvu<<jAp4<P1EQ0`2MnM&o+cCFoISKfJ0Ze8LS;K<5(P^NKKlx-=$k5X#N
z?XSqCIGs&MnQo1fCnK(0`KebdLOoi1I@d0H$$>+Yfo<Vi43i_Jyx6w{C~=2yd92C6
z|Mg*{@xza)#*Zo#qO@K_X|;th9=SB9g*)bOCt5hJOMOI}y@fY!IdBYc>@6fxkGCNH
ztA&Xut+ueOTQ1GJ&{@}5mV*{f=vo-~nOB674K3b<h3B_Aa13zfYj+{r?+f`GLcVAK
ztk`!yuSk==1>$wu3fw}`MvOppwTpv$<m%Q&l;xCMjHIKBW4bP~cY8%Wu(Y^~@Gsd8
z90Q!Hco+F}8S(hbU3dk)z0wF}cua6ku`e8sL<d&~8-vw>!Bxu#kFq*>00wF&l{K<~
zwI7jm>_;g&`8KH&GRUVy#2)*8+`8$&F~CXehsoiqLhgijA-*4dt#9RSYd;VgRlf_>
z)h@ogBv<GCD8+t^Ll;MNUHk-&`d#PHn+_ZUoWysXSQoUFY8QA(WSX*nX=Hydkc)8S
z;}CgJ8J>9LfxULwBO4qzG(2`$^JBF(5S<yVZ}6MvJx6ZJu0#<v*{f^hBAjdx$yPx2
zh%VXt_j!d65zyjEuiW*H1IGYox-{weu}PO?z41%dnsnEr)<`^zf~xrJYPle%T!EC=
zry7a9;5-FsS}Z>4&)yCk8VMBU<32VLlydrtpn1}p!5-K6br;KA4t70)t%2WRU9dlE
z{IZqb&vBnMW}pAl?+=aNmgbaxjj8<l?YIB_@a!O&!+wo%zr^nkhtUDU2ZQ|k!+e0%
z4IbV{1}6ph8U(*d3Xs6V=<I0K2tGF6fn$Ip3l8JSlm)-g2tIMA4Cc;XL+35Z1jYq>
zx7!=_Pjuk)mkzf$XNZRLc2MSUU@e%qwW$Idq2YW!Qs!`9Yn}S4({R@NWRB$1U%!DX
QG@SnXWKNP#t1jn%0cXRfrT_o{

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/pcaps/tls-version-13.pcap b/packages/endace/_dev/deploy/docker/pcaps/tls-version-13.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ddbe348284465785a6c8df0c04af8be8b9cbb645
GIT binary patch
literal 14332
zcmbum1yogA7x#S*-Q8W%DIuVAiZlXJ0s<o4-4fE>N=Yb!bST{&(h@2N64G5F-`-fS
zaPRYt_r4CNLk{p;bN*+nwKj***0L-Z2pr_kA2<jU_@L-M>HRoV42UA|f6)3yvnG)|
z?`=Nv=G{PoNI@W?;9pUM37DprP`dYm-9;NX(ApG1DkI>FAtf#6=XwAJ1`fUg3JZ$>
zg(9J#4>a5XKL-c%gRa7h0g(ef2JHv;#~K&(TV*B?h#LY+7DxtHfYxr{5No>g04o@0
z;;d4M_g&D9;b4$Z6eI6{1L?p@NTA;z0kSwi1?`I8JU{)$xa7AnK<D+vLV~-i3xWLf
zR~;mSL_}c>$Xmc~&@K~U3Vskrlm3xNgaj7|DDji12@(llp)mGP2#hr>EbM^eoSHR^
zee;+OTKK2yijR*_7_4Q2q%>*i2Cl`RL8$atGJHqGBr2Wn<dq4NE2U8qQp;AI`FBx@
zKjhK+dT;=t!-e9);=(ksG;#Fh_q}XlZQ^V~X+mzoZNh_aLj)ik5MBrhuo#$BJO~a1
zf@y1M=*DhpV`FM*!fs?^1tEk$&Y@t^Q6Lx)GzdBH0uh85cm)bUz4$&X@O79+*O4AM
zI@)q@v2#J-A@Cp%0<2&GF$2DZ>b92(d33q9!#;cv+zn;IT{fXLq^1Wb?hIx0pQ0%G
zSpldRT(mtFtL#zG)ZPQs>5s^SzIMW*LpKsAu+M~AzoRwB9Y|rIS@JZ`scZ$ln$7cS
z?t}ZnBj$RnrY<m$c$Dt2Rs>;zAS1!T0kXlsLLumYn*?yM@URH5NN`B-NC<FHcqjrC
z1{R2w4R9O^A%nn(LLp30c*rbd3IZ>0fV(L`)X`y^8pQaCu`6LAgr;XS$&i2Vgj>9W
zPy-{lqNc}FMvbZJf$!uSrhyI#1r(kp828~a?8s1S=25X)rs>kYO#hnq_xEUmRo#;0
zp2?=ThUMf~y%0?G!H3<k^wS{O49E0%lPzWWaFLI(q9n40On?h%LhC6BQLvxo&3E*k
z(mjFHID&+@xwUdtgiq8DPCF~)w$VeEWj2}6rO#zpLJ|yF`-K&l`xifTx^R5m#XGjf
zky9*V9XJ%=wmUKuO;Up*epwntN@{wSds5v^6;-hFEz&kP7(z{DEY3$oS0Vl~qOH3e
zMJNzvsYW0;ot1c7%8!<Plu9NTEabgMe_G>8)A5v9Tr^$wrKaOe5u};+#e!_#TlrDQ
zijn%rK*MQ*L|iir2mw$Gpj{?Hk;*JVBJ;pM5{V$&ZM?sU;DFF1fQ5zl0!`)#3%mOM
zk+HM8%i~zKDmxBYPnwQilP_{1`kNyMs9h>rl*IqPt$_=8!~<c1063sd>A)&oDh@_o
zOL*fDNS3Z((Ye#u98OOyrp$wR7tj0C5sLJ6puk{Y;qU+_pin~KUrE;(w_p#QXA06{
zq{aK2f$79|Uhs1c_%FWfIDenTi<^D}(FjpkygqUXtMzS<jhB7K=p)4REZ$S7R`E`m
zIDw#$Y1;^>k`17eIN%3pmj?*oBt#S(rI$t$%`~y52Qn~{Aj&7d2gn0JdlZm(ZiNAP
z4A4NkLUjB=93S|5B>f~3Awgc^|0WuN#6KbPioLj}Lq$-HRa=}-H)_(ALW868CQ(L4
z0tL$m_v3xky;Jg#?k>6Ex5JGmnF3GVpTo<SXubtK3U|VQtO4GDcEzKQKRq)3+ap@i
zix>fqoL~O-$Qbkpls}iOw0iY>8iq;k<V|CQQ(WBs>8bgIKE*rq_5@X-_;qG2m4u|E
zi5560J!72$S*iy*dd_tj`}(L8^$a>x<LP2g&{zeyxlB6>Mkm?e`9&EDTh+%sTJ)gj
zX?kw2#LOb*R13Ty_K(evtKb4RW^SU0x;hOt++eoLpICVl@Uq6!xW0TJT~O@{5r(Jd
zSF)lTXNZB5hR0}lA|YXE>bI5ptOgUR55U+bf!I^wAs2QzcKGlgu@6;UioN|;e#g46
z#Ex)6s3}NZy$t^<b5|AjgvXbu?Y6?R=gX&Qq+9DlPV5UdLZ&EK%VcR|2QTlxMDn9=
zmS!Tf;9HkKS6sw*=yPZcSB~IYwb?!S_F~2GHgcCVQ?nNjlcaogsG)hhnz?1>+efdq
zgzf~3-6haj7@|x`@cusX%!dC%<XB1LS@%KY@~fJ*=X++K;d88bs>TLZZ$8@#v&ruZ
z-wpUw`1%xHGfz5Dp>@jAO57idI-vIf$40Uwo*`moyAAS=91G6^D`u@C>Jn6GabS{?
zCU`gU72^lpHi686?yu}HJlL7ik-^H#&Dxb5ACMsJH@_WkT)SiZE>?%$g(b$BNQ`j8
zH=(GkuOmXqrqHya^4TC_{q9i7x%XUjZ-+qVz=yQQOE*UImHMNWZ}~e{z93Y3ck18C
z(&N)QfnPvJd*Z&^p6;Ojl4{2ZzLTiCYOTmbe7V+O4<a)Siyd)RG)7rkD?tCuN(y_r
ziE1t#??Cn4lMjA3ni?4Ut9BB$<JgTkOic{YbiO-Lb1r>5inQZDwjoB9*%B}m7W0#F
z8^wVA{I=nxfUVPwnMwn<;3h4W1_J@DBhg;Jf}Ri6nYVj7&^>Yp3F=woj%mB|luvDx
zr#C3!cO)jGE9=UnpJlhug!5}`AEGOmOBz!LU&F((fsbu7SP<P>DaGSFx1o}VP1ZD;
zQ%XSB%T?teh~N4^)MP3(8ZJ74pZ;pQvQ6##5WZVZyr@Q!t*v+;jJoUMIgC&P*=m!h
z-*7N@Qj5vC8^r*|)D)D&l|{vUo{D&PAk^9vZx;n2UpkIWQlQQzYd%L$L}tv9u6RaY
z_QXh^q`10<`E~rXp?2$OhH;49NE}gA_A+ui5t@(?8@-me-5ideWz0OM=Qt7TTGwn4
z6(d349saW+<n`hA`s9fTYh}IKgyQq^NFFv897|?qSYeFUu62HD#C-gmpbEFR@QiXK
z=HZarTW4+4+6II!A-8?UN-=avCKYBUi4Q3V+DFP?i-PtT5K+9Nrq$r%?$5fDchMVt
zGPu27@A~C-c%&+IB`0l*OWo~=3Yu-E{o4<32d*N_sp**H8B}0X?2$*<M+?;_<iFEJ
ziao@tcPHIT-1kt8M64?`$}jdvQMWHFdXZ6-#V*`BywvUVp4PUsN!!u}cfj1Eb}D<;
zz<ZmqGfp7=M0pcKmW*SHi7Vh5>C;b)u;a_>j>?B_K>}fhQY~~wU3kQ@&12s+rl&H6
z9*7C^xt!EGm#7mWJ)<>Vpfbw|(+b;f`po&Y@r*_yanSE|W`43KLs4<9=nVfx`5}=-
zQwba#|D0+F_l;J+WhqfpvYU$^na=wSU#NS`5q>><FxW*t^n3tWvn*vtTj|SmK1((N
zv2DFdr`5tj#kyke^83MM=z%1CtzuP4St=t29HC44sQP4^zADeDse~eu*3$S*RHX5@
z{Fe1$uW1PDFbCTaod_rN-YnNR?^b2j*u8Qdfze+yZkV2Y?b}f{EeTiCS88IV>|90V
z7<I#tIe4Pb##a9|3Ke^EaluC6KH1o$kd~B0&m%n}rKi;Mu)(`$@dXjY^HTm9y{f|f
zF5{AQGTPmTC=E!O$y9d-ROG#kB(sUts9A%~YgyD`o6{_lWD(vu6l^eAHi<7I)d`Db
zlO-gQnxQYE+zKQ&!<Dxwy!9T_D2E2h;he-o$+FgiO)m2NfCpzMxp0$T-zFCNomRxj
zEYNB?GqP1MlOKLF=3NR!+ZlmEaTQ!8Awh6_bwsy?)Jyv*J~ao0)B3k$qLQMqb@yQ7
zAHa;Wi^Vc(USGp7LwaNr5Fq&=<m<yAsUU=yd*tAxUIr%h3UD$2?ee6CPXCzHW2S#k
zY9{huyHw%ZzbAEJWP5IoOF*(skFPV=Rw_d+<iU33mML6fdTPXLTdmbHE4TTAZ1;42
zONOYAP-^_}SL-lBtWVFDl4%8<3)2K-ymx5ch#sgbbA+#^bhaqTgxBA6y57mX)Mchv
z_nlY=(_czeR9KarVAQ3&oISCz_(*w3GSlj4f+3|DG0m~oIIQ0*=9z5OZS3>A*OorL
zfXzto50YNkgNfTX3VeHuX@OzyzLr&tvKifEcdAkE#x2H$Ah;0`?9a6Li_=8b&+s_r
zt(w^G>X=PgkTX`jx9jGgus04JrE#7ZkZ?7T3B)Rpcbfk~@|2PAo=9->p8OJ)nUA6g
zzjd6n@rzqXh#0qfo_r~iO$oBr!XGzSlxS9{{=A})^CoQ9ZMCtP#rx4KPYh`)A*e;x
zSajJ=K|RTS=hh&VVAo!L5eJ<GLZMMo>W4npA;p5DC)m`{Doi504!0_!Xim<9+m!H+
zXn9#lUS^ytBy{JyK_5=t(o&yobJV|`)|}?)fEK?X>Rg<1$mP2_Q|cgo_{K|wma4t$
z)zh3~OgZ=zmz?9oD6Efq8_Teb3u%5};#r+BAP2zF1hmVEhb;d*o@oD_c;>cWi5J}X
zJMrN0q&Q7HZe9BRJ*qM^Q+Q<GWFOrun9UK7?&#$&qHj}ar*|_o>*cQV2_w{s%1x(P
z>}`Lq>wLY5FhD50l!IkXt)=UCG9yQebnGy0nOQrpB9<3NIO$>9EpA!q<<w>E%sZHw
zuNL_1Xs_V&yVs+YXLDIFw`!Jx%uyrn$UKGOe-0zEB_ok8w?7yQkAyMEejU|MU`~DR
zom`C)EAX;Ec#+bH>OP+tE4S(cZKp7H{2WYBg_T4Mh%*f2!Y&`zVIGwM2S+yqriXtY
z*FBI^1Zhcqf#Z7mzz-FG0~$VXTsHz#fNmey^Jx#vHGL^NVMGX_@RulzFzZLXON1(5
zB}~2AiOJWG`P_!CY9_kB*l1be-m9?#SP=pwpYWJB9?#6h1Fp-*OB<=N>{ix=87;Qv
zGWnDB;$U(1_D-bdOu<vfmd-@FMGd3TzX_P)$?{Dbjvx;!8+fbd!BvQzQHSou;QYpx
zIL<$>>UIxR@<2`1ir2A*sDsc4Z<wU-kaWFwwCW<q*5}OaauX%=mRp$>BJ_r1@bqP+
zzWdtV>r~PtHqr0$b`8hTjaI+;xmt&i!F%xM`}9%@lLai4bM{O=uKnmm?enb3y^V*G
zaXGe|L!o!nzJ8{om|y5cK#Bf+L87hfhE3cW6KhyOdPN0mBcmOXMl{)q(6Z?-(sIJk
zllnDs#c$$w#;6Gjvg64lvtB&!$4(qdAeOp2!ZM|W%6y6_u!0pdzNx!Zz-0_)?6P#n
zT70)4M*(M)82@$Jpy5WxKm=I=sRSN7s&82!v?y0~O8Z-ZNnWt%bMw4I;vs6E(?pX)
zHG}zU>&LAP>1Qpz6hRY3>8KM=TC))x4Cf+t-tj*9a;M63xI{5NRhTVUsD_dWH8plY
zc|un0Be6BNVv1xU%OH(zV|04{X+pbL0B5s3Qr8oAG-|74Y3vS-s&O51{s4|vG^M(m
zoZM%EY^82IVC@T}G0rkmG+_A0okO(IOK~PkidM6PU;7$4q|UFKUxQPXddp)zw1OHm
zGM_}{5b$*4l>-)5b|v$JO|S}8lm73oLoBYunqES_Scr$x<iC5-60Ag!$eoG-F$6jr
zv@6}M_OrV;|L*ReMBwt_3Ot1R`Gn?z2u4V<{4garxZ3a85K_~$YOh91*we}_l$Ju-
zPx9b`aA|)Qyxd3-wKAuRo3#7ijpQW+G*UazNc+=FzZ;1VXe8r{1?la0u}pQis*#X5
zgw9QU$c}eUp9FE&^=Fxb3n~B$iUZMsb|u1pxk9oe0h;Lonw?9H{*KTJ(2NiydS(70
zUI~Gx%=sdO<VzvwrU){(`C>s)6|#SaKm>*W5@D+TC(-qSn0S@Q;tCK6<Ujo;lK&#s
zwf;|{+XXS<ABag8#ERcUYJg}7`dCha2~h_oAZVAPhLI@)E^EL9wE0IO5tM)q*eSqD
z0W`b;5Uqg3!C*k>u2IoR^pL#>k>`7CJ&WAkXs^Tqjd~+QCnl)m6C-3nm|nJ=i#YBX
zYy!)<=IPiJ_gR@f+|GNgjEN^vypC9C?}1lP;$tlIS4WBC#|vmiWE$`88*+XKdvr!8
z$d0=+AmF?5#=bCes{H-yTlWr3P{JqQ@UmJNHRa&12WU~j<Y5HVtG5rckTXP3Eocgd
z%YB%L%b7PPINB9v$x2ZF;I@jfR@M(kTx0&UA+&fud?w0|N|Rz-UNVzKltxK_=gn7>
z&%$bZmN|I$n>a&4D(lDRqO-U#j30HAF(X#!97P6-=OyZ=(&TA-lRDfOI|}LP-Bb*Y
z*g22vm7}*}yeXt!-0)azTur0R0JF=E=&gyJX@0CrxtMgOcv`U9YvrK8?Cl7T6{ue4
z=Vh@Cj0wj<a`o>+%xzvFtS9`VO#BvwieHPp5<~QJ>GT<<<Co2FP^mt`F3%UPm2~Ov
z>8U<b%UyO4Vcp7}p@EM-K8JPFv!O?bvQo1p>>MZeY^N1Nv*(zKr?}zIOR5@~Qb!q^
zOg`s1|7L&Fm(<%eF?mBYI5<RuqbcVIJA|xRiJjZUn(cemzW2uMUi--!in?cZ4DByw
zqF1u7d&R2?dkfi<ts{Lw=a3-TR?ECTU`2aIPG#n|M(3N@cy~YmQn3FHayHG?xE_)5
z<+U(&r??lf^tc4AP);L38tUWLz9O*5Mu8&30#2BqT`n>xOj!h2WX$D%7nzSuiXcmp
zFHmHX`&Wt#((N09FSBZd>p}ZYR;kR&Vc$_m{*_oAJn7I!bD7ucN9_ZOfw(X0BJQ?Q
zJYSySUa%t%RaALE?P0Dox-Ff!5Y<1NpxDHsRz{c{iJz?aDgX(c4QE9C-Wj#5tG4rW
z`&(>uq~<&&!9qql_<EgM@s_7CEzbqT@bb11$%sc%Y&B*rok*(>daH?UMWDsb8h66x
zieS4lQ}>T4-#+0sTkhGzN%BoqVbZ)V`QR}ue_}c6QEFJ6dL(1QQY~(w=-C;iN1BQ^
z*{AtHPf(v3K%bj{HlSV6hpjB~LZ2sp>*EVd&ma1DT3yv=?_tT#to3bAI!8ac^*!al
z67T-oYn}VDl>z(`s@L^jDsMMzupX>E+EZ3YiE<7V&*WjHn7Cz2u8*&6B#e%e%--LO
zwOlVbndeMhvT3)-p{(oex7|m-(o1rWsGmcxwl{T}*(A(hbBubqV|bXW%74y4FycOP
zi1{l{!t((_VxyIh`++$}4Si6U)hv{+PQnf!;LlMA8mx(<e2_j1NyM@Tkab0U_kmv!
zmv-iPDx0p|cSMoI^e#!D90dij!XSS8#CJD@w9L<?uEe*9p`*lZ6m4dZM=T8`dP<dE
zu~nDOjGhy#_BcTf4HM@yd8PyP9$g?PB@rnm@CY7qVV9+Z=#)iWOvrnGOX<h=OUi}C
zt5VX?S~z55WKR}T2Bp{Ws+`cG+~L2UuKnpDoFQ!wE_dY9vV3r1ZeZd6vLX4{fSb5P
z*pG#QAsPk_Q;?|oABn!;v0zWU=_>Kwe<b?x0mLn_-mAp>|COi*5I4nguM%M>|0M9r
z#;)`8=(2R_=mKo)etN#Z(ItZ6Zz6b-pjpo{{EUuhW2Eb>WUV>bfYGYHO8*2KL6()g
z^mN<NMS&T$7?Arp>5tO{n8YiU!&8=UQ8{jxDn}2foCa`jm6iUnFpxZ1Fo~4_vGW5O
z#1Uv|&@P7pefaZoJ##6PhF_ty{1#_Y45R{~K-mgOUo7Jpe%6v_GGvCXQv1{@BGJhS
zqP|)uM{RwS-^_<@nlGFZ?P~U%8<vhufy=an3ce)AcOoML%L$=y%THSdIhpdCkidjY
z5k?}}V`N0z>0n2F5wD!wK<{|v0Fo4j5sRMbss}>l3yW4`>vKA*H$R;2F?ibC-tMti
zXbf7t-(7>InaH+*<G8pFQz~K5Kcu}U(=jG82uC8KE4rxVYH2h<xAc&u-oRaKhRJ&m
z#{=J6&NsDuiKE8w!7>)vL^oo$(U8xyFRN%Q#pK%z`8?hYGTBcAUlLGbtlq7QuS!<H
z2Uio@bO+~JnKx60^31{{+%{uZ@XA5r@;<q#Nk2-P>Rg~n9qp6cw{vu-&yuW}J+Q>x
zyS}L*3`yiQ<B@ywD^sx>W3oLFo-|+%)`1+X0s4b>B?mtr!;f8h49~jtD+hzyzsl)P
z4sy@$vG#E!ex(sGEl|A;`_j&j#i;FJ-_GtGm*Q(HQx14m)mYDazK)#a+tIG$Y#gTM
zRI<NOSbJOZ0>Q@o>+LGxl+6)gL4D#+_m$bgxoU%1yi{0T=FUr`atM`#D2u8@q9ygI
zdJ8VN@t4}?bXGr}M{K3db7<kboe_6}w||%RBl$>q@g{e5RK(tvtkSlq7EQPZYey;i
z!BmtQ2did`ZJ<VI6kX8`;fYK$nd7*Jw}OMZ>G@K17N3ZeE-THqWp}SSzF~h<mz?Qj
zkSR(>J*;U+I84lFRW<+i7DkVDbBkCXbvm}2qIT@{;u1CXKr~aI$6qFv1nA|Lda2)*
zx>}U=mD?~w&fqbZ_=DHw@tdsz@g*e;vNFHU;Sks{o&?763SsTn9>!rR`ZoI+)n-|1
zCuy<{2RQM-e@r)((tZ`<p=-qK6ZBoJb{wIg`|Ui_t>eJF*epakXQCE5iYeDp&pTf?
zxNC1i#;NA1>v59couawP%`xu#eZ`Q?5<j2uc3CX*8S>X3eIM+rxk!#;@$@zQkj~bm
z6>^x+SxX*QJS`@(7nu9vk7y7K;9LvZ<=g`=K}3NcGmVM=-GA(<zjE&a>=i$5L4R`J
zX|qj2VRj~87%7WjpjH5@JNhi{T$iT~>dTLhrqwC4i<4*F2b<^H2{%k{p<EM<v~JQm
z#Ra?L56kcW78*V0zjg!9tddLe#a?gdrwp~xox#d;&H*kjdRil0Lsz-+2lLPQ!rcw>
zTP*n)`g_Z=dG0<RWC<9K%=~0MZHSoPg~x`(5(-O5?rjjniKxgjb~9st<sETpbbJ>l
z^)!d(?nrvNRv46`6gNg>A>N}b(Y!`E9=;&72tTT*K=Z+guyf84-UrqMX}oO-<u~mv
zovgzyOudqsJVjnLx=3w{-CL*6?|FySMHE^H2)WBUV~IJ8sFvO0_TpL<ZC42jmr&K8
zKgi2KF_`$k=NDQf(0#38Ft(%4o%uZ}0|%OQX{NKI_(USBTk^Pm4bQq|c)W@RtGM&?
z%2QJPlmyeI5z8*_R3mY<s>Pzto2O-*CzKK*qQhOt-{0vOGuWSm=NUX9&+VU#*~%#w
z7#!DQbE*);^TuA;GR93qOG}GYw<Ue54WF)P1RZs`wbHdOB<`@SM8FlUu~bh3x46J~
zGdBXpB4kwnBQy9wGd1WYPLtqQVf-o^^G_LQSdnJp={^>uQ0<$kD{n}_>L5i%|Gi;f
zo%iij;Jhc=xH|7yw}5$1g&qHE-n%2A4@`=IM2G)Pq`n}oUnR1q0z?+f-}k*gL?_h$
z=_AbraqTLR^C3Xw!$7*~qmu(VL;#qDpk0m{%F@mX5(!uTkw^sPv-bN<qy?h}x7Qtq
zGM+?Lr-yplaqpj)y{W5+fs+mGQ&mEn?DIZ_Cu=sv>RF;W*hhS{+}zV@EnM>@Dd%pN
z&Rd}bopr;v+Sgv~Oh=@9n_H`P?h5a>jqu>OMPV79_YsdBkOn{fXpx|RAW%RccSjhW
z=pm_(Xn<=ofA3;O%Q?ew#&Q|;8A6aQJTmL~NEy1Y{1K5;MTl?XsPhwuB+mRT%KXF~
zp6%-K;O_~@+@gaN#R*a|XmOc4IlAbH#JHV?pVJGcpUO$;XT}GQJlzmh!f5mtU)>eH
zFR7O2ys$-!T9LmeiHK=9J6uCL$dUWWWS{o=`bUhmZ`>HhV6tNYA+-S!LAxTPd^_8P
zkllX^`S@;%AdnhBNN?ahMn5jj?!SbD;y#XszNa=-7$8b@!BKjZoH0458QX%Y74<RC
zFDbfvAg$R)QJ;@tR_>T<jFC~i%4&r8t3A!kf(oZa{kDiHF<;Gt9F-O3^H=he8IY8W
zPp0M6QBhk&OR&>qXbJ-*On2?CZ^=`~!QP1*xrX(<RFkxsq_458NtpPI_sMW4KCJlz
z+-Gwm(noSuzH`GFW84Xp1*5+H8U-@Bx``8PN6k{t*)>)vhulg|O-Sn~?3n#nkJ-fN
z-DVJ<p>)4s(LWr^|MGb=-t0a`(yPHS>cfdzD>2NHryX~M?iyNEuQ&-M7Vq%|?M&n+
zlqT<Tc}Nyh=tey`l}>$(DY8EJ{hft~95selPw2GM1fCkM0RE(<#~plEQ0W;!X>nj&
zgLZk0|J%C-I3E&gKE4Z_F~1?8{7@PwS5w7EcUq80;rQQ({+0mo5bp3QQ3@cM1O9<_
zxf&q4?d%tg`sVLy@VER`4P5+JssTd#jkc6#@%;6}M|T+MVPCc#ayo|b4GUYJ?X|yX
zBE(M(6&O+jV^IfI{`U({JI6n+9RF)&1;eW=)7*^Znbx(AG^Sax_mK?95nXwzM{T97
z_s((Fj*<CPE`2%<TsZi@iWq+(;^0*gbN?%`79bwL<zFSny8IF6O6mN|WdbZ6|61@e
z@f|qx|2zR)l+MLv;&7#1;9K3y=pe01qK$)@P`gVJL>g1b^Sym=W8o?z9<c)`4noDB
z3cFGdJncZffz4(7Qau1~803rq2RG{V-&x@X>$U?RW-LJ<vcRkX?Q$qk!Jqdcq`wa{
zoDsi5sp|e2${<k)&;{J!Wdgb#BA_qA;2qrBTzyURd-8QYo(kr^_e$uqX}QiC{q6Yf
zSgwj{Q=0MX(reWp$IizntRv+cUJfzo89fM9VCac7f1@Snjz(uuq+l|9L|(gSqI!<{
zao1I_CvxjPsp%(9^O&!kTr{I9p<xPgSYClSf?Ue;`H?ppMn2!V&%dp@P*0~H@L39T
zYhHwGe{aY6^Ip^tv!N->Bzw~t!N<o>uCXI$MWQCsMiN%($A6*U8bsq6x%K(sYVbUY
z-(l*^V#_v08>}mF;BwE(S-8o}T?RvB^jz7Sp`ojOMN`ZKUl3U{h>`q|UE^MEOvA!G
zR*o%m5bf3%zM0ibafr0=OdGBd)b%r<>pq|<XjgOvK6i0Q)cIRiuDD;il0LhtYf%g3
zJ%#JEhegO=XmFo~wK955-htyCxT!Leh<hU~=bM|1x)nv66yqxtRb<Y<B}%o%BILAr
z)m*4a$Sj5OJw~VVDr}x_D?7Z~_(?Yg>RF$EmNqlGsnkJ9*O==RGj|{c-}BCd&XLb!
zZO+r)CGTM1)Jq-t<dMW@n~k}BrPaJw(LB##SHm||3ViEWn;F{5Fo(0U0(Z80+4&7V
zo3s$O%B#yEHQ2)+({F8~ts{sdgl`cx<1w%YeYQhkc;B)cxXZPrYki2`5Z&Bq?R=fY
z0%^jc$DAX@r+*VAp-X@FrI6Mk3d#a*vJ^sy7kZuAY{}_jO7#2GcX{<h{a9r@yq@UQ
z^@}Y83i4wFGFFAruxS+*6K+gF%qiH<cVbi&7PrY22l0C3Xc|;J<f>g&BN6mv2o})?
z{Ko@g)ckcQ=bUs3C7tdQDMeXY2CGhF&V)?%KYwLw7sa12(Lw4~L&o^nEMf58jfi*`
z&AMHFG>v;hjq=Ymznu{CxF9T>&A=Mkjl;q{ASiF2)9}NesUzWKw#IrSHLJV8^6Z`+
zo1NK-<gNQ_R@T@Iv0+qw-@zgn2cBc2!~C!-MR5MJ2qgY40&eMFMSybWY7unU=07~6
z!pn0kZ*PP{LT;H|LGykW_QJ|Ml$^@)N#z}P;|I*;rvt)T?;HX@_HAm-V9hQs3Q~-b
zo$~QEh_GPJ(tpiSuD{0Ke9Rp8IAIYX$l2d+wroiBg?g?HIz>-vp-M?bj?<)*wyoHd
z5|$bCAguQ3b$6Rm6Exh93ODAGJWer>-WxqL?4Uv|ZbJ;F;LGE@D<IWh#o6J=RxuLX
zs`Tb%*q|Y2s>bmw-@^!QQ*Q`?x8A-(?7EaLRc3#u?%RHshY64=Kk3KI6UnXduZ;*!
ztA<a|L?RYA59MZM+3a4<X!yEz2)(rJ;ns`ow(yi!v}Ku;^$wM;WGW$9!u1ap|Ljlg
z<m^M|w0_*^cqUBVMm#L2+u@4ynKpcgBt-1Jo7W?6%{eAn)*uA2kK}<?#W%L69jmkZ
z3<yFgh(t6_tb6H+8-&)f0t4A&%f8YLxJs5(%Q(hdE76#S6S>*cL#jAz<!^|5&p@dT
zZ6v!$Fs#fvQ`3$%*`gZq>|BEy5;4i9`{4U07dn&IZ00);CLT}WeO+heGHt0BjZTaG
z>c5Aq(lHa`%3ai-iIEc|?jP{txk++G`aFh3)5+N>E7jTyE$wWuIM#r-PX0Q7T%F}>
zsNgK$fw?-%x#ECXE*ducYnHz?KnJETNF2iZpG33^BJ?VeTN)tV3B|igL<HV&`agU`
zzaT=c5_z!!qDHXLZ=&HZAIDvw5Po1Lf_6D-DDxT(NZi{0M<Nkaqr>wz(G4VmTj#dq
zuIvV(U%@r`CK{GrUslXf&%nei%%s<Dw_B{SZD1UT+6qyR=L3&=d6*N-atli^pEuFJ
zv*v)FIGXmS4V0($u{hi7YDB4=*?ggL7QXo&)}eB*YrS3Ou=G&xSq4>-RIY<ypgP-R
zps+lX>IAFrtk*+Mj92sb3UMJW*ySI$>m$7K8I#Uj-f4Tno0oP+3~-rzao!XQ-F>8l
zB=CyaHLgsqR#DIDP5_=^;JI-N`fPb82LAPq5l9#_@sbY4DArT`VNZ!kK7_RogQSPv
z{aVG7^tD=La3=(7eiGg09K+6IH64*(TAuO_`o1LW>RAPIy$9$x1!xG`6&?H5XfJeB
z{aeR?(iA};Gk}g?s;=k=jeGI3nk8+mmHXtr%SU`{AA7yEHL|X=rns|$Jl|eDXS#;T
zaPxGAG$J#fUE>U4#q3a*l1X<jI0(1t?ifUv&^ar(L5seFMz5*)K>(fh=Iwdh)y=If
zH){Kyw!0$|HC{+vn&ohj+N$GK@+564f?0Fh(}Ae!@U|JB4vR=qlB(S&Nu95Wv?4~k
zv9zsbtnW6F+#27X45~<^V~x>?cczSe%1kzlOR{esodPpMIA!2YAn_ouzII<_EbCxX
zh`c9b7WU4Z_k*$Rn4qT-ceJ|)<Zmx2&TNP}7gW$WWPdXx`1(kFcgG2;+Su2(d45Cb
ziLv?8i+8gl<xB*IQqlw6VoPx}9Xe*K$K&i@KR#jRpH~V!q`Yr(JdGMR=@4+v&rgQ3
zQ_cA(GLfoZY>3V4h+|?ajAu9-O%vLupgtusspVE(erJ7PgF%@McI%O=l7-GPfkoD0
zrs9ZIZf1;LSo{1=JYC57b;B&TiqHtVU}rUQb>x}2?1RH}qdj$QQI3fcUapfJ{TWdh
z*~wr6x%^~qFw?hO|McMHP2}J1DZJRkngONYJ;fLJ6_1O<<{;5)#mKjAATj<w5`%67
z#C`8yKji*Dh&2FF1gJ#Nu2dt}8r?-TUV5Mqbo*B|?)`k*58$8sudY5q*&po3LSe5h
zs)$g|nK4}Ac+bdLv{af>r!&y8h@gSJl5kE|iA5{<STa6zrhSW;Q`are?q!2?g-(qz
zg7S7oJ4d3!Jwf&2Gb(1dRIZpBp7;S-Em8vN)}#X;<HteMbTqd%eKDieIkjw~cEz5E
zyxE@4fBo>rn&m*%oP~u<VWVv+>=NBG4uhTvBc%Bfwy_UQI>u;0#D|+f(t!)tur_ay
zxIyB*(?q|b#JTr%^c0lnj0905Or!ZDH>xrl*;5lnpNy6ulySU%#HC0m%lGlIP7zH4
zPm^hiw$|ap8lPL1TyV_N?(KZH^yv)@rM7YEsb5nC(TIQvngZnf_siGXHBip&=D(Z!
ziS#cypG*C2?%#6KxN6K(Cw5>feo_}K4Mv$3G!?TkoCwOpQrky8e=AsT=d=wj40Zc&
zwe|$qK@hjSrv9omcaTW^Ux`*1#PX}eZI3_VT<M2@xqN~B@Wcwdd`;W_O}w~#W!J^S
z5Uz0{qHW)OQ@(CdiKsU4Z0m(#TS`HyBJGy=)GcW+l)B14;#@9r2+taDxdO5>eJLwe
zKvwv{%`kxIcUD4xB7Y6h2c9Iq{12h<{|Y4lc<;!M);`$;TIXUjr1=v1l~bfPcDABT
zlumKt3zHsQR0*$dxcl*<nl(d@y(YCPxUlWepM|f4qT@pXhH}6EA41UwcaKNaKSPOn
zMuk3jvU#E5eC-=Fjl&(1EHMJNL0wTBQJhudDg61uL|flb(m_9~d1-Lr7+~RlKT!A(
zUo3oS`+ovzs1It`NbvW<AaVZxAYLg4o*!rI%fIx&s}E=hJ})?bbL+Q;$BIBWAQ5)>
KkB|TF#QzUy%XSk0

literal 0
HcmV?d00001

diff --git a/packages/endace/_dev/deploy/docker/sample_logs/ipfix_cisco.pcap b/packages/endace/_dev/deploy/docker/sample_logs/ipfix_cisco.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..365e936d2eaafff8cf623af4de2aadbb55575265
GIT binary patch
literal 4358
zcmb_eZ){XW5TAX$yIx;8q*7YIioH_APz*t9DlH{7M&cjDYS0R`AfXQ=pz#AjqGBS7
zAtVYh(P$*(4x0u|q==v*jT*{n#R3uOw~B_uKn2AZ4B8m+_j_;mZt1nPgida5W@l!1
z=grK{?um{)Nk>AGfsiN+$`{l$-qYsD;js89<C=;JqY|Al{gXSQa+ieLH%$@wr$8-r
zy-SYkmdrX@8O;sv{CB0e;Y4H2f^yY)vP#6^?}W;ivbHXNo4mFo0mZ+P4&axf+P<Tq
z<jF6PE&*0!?1G*b)l%*|lqaJl)G|f$MbM3tkOEc35^ZU~81q}^X}Unu6`D3{TB+$$
zO&4j}sA-d?voyUupmIi{szRc28gv>kKh%D(;qL;s%WI9u%nKhdd^sZZq~fYE_>W0E
zacCZJF$N6j2!eA=FBZ1F*hS%BUMzxcguMu-v=<Tgs8?3kyQ4iK>kC&?7!xO|%E<V!
za2bpFz#u@uw1ol5`X8>B#x70mShR83fnsqdym$*bGb?L*EnqzkAJoorZTx`k#cm1*
z^5SWDu@$=i^Fl8=T%sP)mSJRM_MSfHA!I}ypfDyX)juOS@x))(LTA2pJovYP@YshX
z_&2(x;A6lja2v20sCDH(fG2P*KyFPyrNEBGhZGJJi?zedh+cHK<QsksVXB+wh36bU
z^ms&G7&I0gXX43%GFV6aIU<wsdF(0I1Y^arb~V2i^cmoFu(@7`VRWF|Iw_zsBcO$P
zzEru#yjL6g`WhorYrJrl`9`jj?ib7A$(+w1G*Pbu{~XYG#R#J#`*l+cIv;oga5K=d
zo3IgMg7#`cFcK*YI(rhG{aLI-%<Al`H{IxW_T86t_D8oT(An#CXRo7+DnDF@4!FjZ
z6*;K0Ki}alsF9h9fwWHk%kjkF->KB_q+za(7F7oG)meB^4=>b^)xHRI_Bm#Z@R=Ly
z>92^nN4!Z5eHZr)nc+9%iPSXfyU$zv(5yN!7Y3#>m~jGY)CR{r?oF=ieRqi!i|k&!
z4YA-UHZa{V{pgj(%GfLS=;?{8ihgR2NRO#@mGT$2sy!#3tSy1i%$ftX9b?mfUbpx+
z!1EM9$A#2Q;B_pDzW`6r=QDz{>q9Iye?t#y176e~|Cl0nL0^@*qdVpz7Tnc%;p?yd
z&%LPEi12*4-tx+bJm1|yA<js!neuPP5O2p%iPo+)7C#cKV*fdKYQxV~U1Z+~2Xy~2
zu_(pX>@%jyNKFMY8@WJci#^D)i#>=jfqIgM11kB&E6>hFMm%I>|0xOw%E%eS;v{s&
z3qAR2N%WXrA=kc_-lGuTQ12@<b#bT%Ui3jY!d^HN{f*Ga`NrNcbSIwbcjC6oJ8|ni
zs}tXw?!-sDrp3*BYpnb_%lmg?+;Y{W*x%%EANae0VIYC|GP*qQRX|=I_lxv0Bie3!
z5<EfQZebJIajdfLy<J;|?15dVGS<3@Y$<qrY5Lsr92+l2f#)u~$!-Q(cB61l`9QA$
zx%?V}3ojPBZsC16abZ4auyR1f>OSY<$yt60(g3h7AX)#$lPrZ67`-_o>9O1C-PS#J
zM=dfER2QqPe@6a@C%!T>x!^~GY-3g(M4c8JyEMg1u;_`3Z!cMOk#+7<5!^~V&jtpI
zh0)v8enA?!+1-poIP<MRM%HIC(k~Y9B3a#Krhw85R-CC5qcUUah<uZ>PK<mPcmg{U
z$*%#G5O3(pk_%s3)oJd7^cyTS2C;Zw&mj5D;)iC{_m9EAeEVi?Y-g7uhhFTD|JWIk
zib3zjR0+J8q*oxhf{gUO2740=c4mU{Di}fU7JD_w$V)gQw{%jP>BN~>l%qO%8qI37
ziv#Ui(NXrJO&xFaTY(iByGj$!0>}W9@oM&AEc->%_E*+f8OeGTr)I~Kb9mn~&xAE_
rh`qo(YuN|zvh{DNYS5iPe79N!oCjXpJ=G1Ku+jg|+47=KMb7;P4K$O_

literal 0
HcmV?d00001

diff --git a/packages/endace/changelog.yml b/packages/endace/changelog.yml
new file mode 100644
index 00000000000..fe168b1461e
--- /dev/null
+++ b/packages/endace/changelog.yml
@@ -0,0 +1,16 @@
+# newer versions go on top
+- version: "0.0.4"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
+- version: "0.0.3"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
+- version: "0.0.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
new file mode 100644
index 00000000000..7d40f8b2d97
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
@@ -0,0 +1,6 @@
+vars:
+  interface: "{{SERVICE_LOGS_DIR}}/http_get_2k_file.pcap"
+input: packet
+data_stream:
+  vars:
+    period: '-1s'
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
new file mode 100644
index 00000000000..d185b5ac134
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
@@ -0,0 +1,7 @@
+vars:
+  interface: "{{SERVICE_LOGS_DIR}}/icmp_2_pings.pcap"
+input: packet
+data_stream:
+  vars:
+    timeout: '5s'
+    period: '-1s'
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml
new file mode 100644
index 00000000000..af1d6962cbc
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml
@@ -0,0 +1,6 @@
+vars:
+  interface: "{{SERVICE_LOGS_DIR}}/icmp4_ping.pcap"
+input: packet
+data_stream:
+  vars:
+    period: '1s'
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml
new file mode 100644
index 00000000000..4b6304198e4
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml
@@ -0,0 +1,6 @@
+vars:
+  interface: "{{SERVICE_LOGS_DIR}}/icmp6_ping.pcap"
+input: packet
+data_stream:
+  vars:
+    period: '1s'
diff --git a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
new file mode 100644
index 00000000000..58d32879557
--- /dev/null
+++ b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
@@ -0,0 +1,42 @@
+type: flow
+{{#if timeout}}
+timeout: '{{timeout}}'
+{{/if}}
+{{#if period}}
+period: '{{period}}'
+{{/if}}
+fields_under_root: true
+fields:
+  _conf:
+    geoip_enrich: {{geoip_enrich}}
+    map_to_ecs: {{map_to_ecs}}
+    endace_url: {{ endace_url }}
+{{#if tags}}
+tags:
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{/if}}
+processors:
+{{#contains "forwarded" tags}}
+- add_observer_metadata: ~
+{{else}}
+- add_host_metadata: ~
+{{/contains}}
+{{processors}}
+{{#if monitor_processes}}
+procs:
+  enabled: true
+{{/if}}
+{{#if interface}}
+interface:
+{{#if (contains ".pcap" interface)}}
+  file: {{interface}}
+{{else}}
+  device: {{interface}}
+{{/if}}
+{{/if}}
+{{#if never_install}}
+npcap:
+  never_install: true
+{{/if}}
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml
new file mode 100644
index 00000000000..c85edad3b01
--- /dev/null
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/compatibility.yml
@@ -0,0 +1,32 @@
+---
+description: ECS compatibility layer pipeline.
+processors:
+  - rename:
+      field: flow
+      target_field: network_traffic.flow
+      ignore_missing: true
+  - rename:
+      # Retained for legacy dashboard behaviour.
+      field: status
+      target_field: network_traffic.status
+      ignore_missing: true
+  - rename:
+      field: process.ppid
+      target_field: process.parent.pid
+      ignore_missing: true
+  # Remove packetbeat fields that are handled by agent or fleet.
+  - remove:
+      field: type
+      ignore_missing: true
+  - remove:
+      field: event.dataset
+      ignore_missing: true
+
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+          Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
+  - set:
+      field: event.kind
+      value: pipeline_error
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..212ffb757ce
--- /dev/null
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,101 @@
+---
+description: Pipeline for processing traffic flows
+processors:
+- set:
+    field: ecs.version
+    value: '8.11.0'
+
+# ECS compatibility pipeline
+- pipeline:
+    if: ctx._conf?.map_to_ecs != null && ctx._conf.map_to_ecs
+    name: '{{ IngestPipeline "compatibility" }}'
+    tag: compatibility_pipeline_processor
+
+##
+# Set {host,source,destination}.mac to dash separated upper case value
+# as per ECS recommendation
+##
+- gsub:
+    field: host.mac
+    pattern: '[-:.]'
+    replacement: ''
+    ignore_missing: true
+    tag: gsub_host_mac
+- gsub:
+    field: host.mac
+    pattern: '(..)(?!$)'
+    replacement: '$1-'
+    ignore_missing: true
+    tag: gsub_host_mac
+- uppercase:
+    field: host.mac
+    ignore_missing: true
+- append:
+    field: related.hosts
+    value: "{{{observer.hostname}}}"
+    if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+    allow_duplicates: false
+- foreach:
+    if: ctx.observer?.ip != null && ctx.observer.ip instanceof List
+    tag: foreach_observer_ip
+    field: observer.ip
+    processor:
+      append:
+        field: related.ip
+        value: '{{{_ingest._value}}}'
+        allow_duplicates: false
+- remove:
+    if: ctx.host != null && ctx.tags != null && ctx.tags.contains('forwarded')
+    field: host
+- gsub:
+    field: source.mac
+    pattern: '[-:.]'
+    replacement: ''
+    ignore_missing: true
+    tag: gsub_source_mac
+- gsub:
+    field: source.mac
+    pattern: '(..)(?!$)'
+    replacement: '$1-'
+    ignore_missing: true
+    tag: gsub_source_mac
+- uppercase:
+    field: source.mac
+    ignore_missing: true
+- gsub:
+    field: destination.mac
+    pattern: '[-:.]'
+    replacement: ''
+    ignore_missing: true
+    tag: gsub_destination_mac
+- gsub:
+    field: destination.mac
+    pattern: '(..)(?!$)'
+    replacement: '$1-'
+    ignore_missing: true
+    tag: gsub_destination_mac
+- uppercase:
+    field: destination.mac
+    ignore_missing: true
+
+- pipeline:
+    if: ctx._conf?.geoip_enrich != null && ctx._conf.geoip_enrich
+    name: '{{ IngestPipeline "geoip" }}'
+    tag: pipeline_processor
+
+- pipeline:
+    name: '{{ IngestPipeline "endace" }}'
+    tag: pipeline_processor
+
+- remove:
+    field: _conf
+    ignore_missing: true
+
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+          Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
+  - set:
+      field: event.kind
+      value: pipeline_error
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
new file mode 100644
index 00000000000..eb88d38caf0
--- /dev/null
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
@@ -0,0 +1,103 @@
+---
+description: GeoIP enrichment.
+processors:
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+      tag: source_geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+      tag: source_geo
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+
+  - geoip:
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true
+      tag: destination_geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+      tag: destination_geo
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+
+  - geoip:
+      field: server.ip
+      target_field: server.geo
+      ignore_missing: true
+      tag: server_geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: server.ip
+      target_field: server.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+      tag: server_geo
+  - rename:
+      field: server.as.asn
+      target_field: server.as.number
+      ignore_missing: true
+  - rename:
+      field: server.as.organization_name
+      target_field: server.as.organization.name
+      ignore_missing: true
+
+  - geoip:
+      field: client.ip
+      target_field: client.geo
+      ignore_missing: true
+      tag: client_geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: client.ip
+      target_field: client.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+      tag: client_geo
+  - rename:
+      field: client.as.asn
+      target_field: client.as.number
+      ignore_missing: true
+  - rename:
+      field: client.as.organization_name
+      target_field: client.as.organization.name
+      ignore_missing: true
+
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+        Processor "{{ _ingest.on_failure_processor_type }}" with tag "{{ _ingest.on_failure_processor_tag }}" in pipeline "{{ _ingest.on_failure_pipeline }}" failed with message "{{ _ingest.on_failure_message }}"
+  - set:
+      field: event.kind
+      value: pipeline_error
diff --git a/packages/endace/data_stream/flow/fields/agent.yml b/packages/endace/data_stream/flow/fields/agent.yml
new file mode 100644
index 00000000000..a55e9f71b3e
--- /dev/null
+++ b/packages/endace/data_stream/flow/fields/agent.yml
@@ -0,0 +1,196 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: account.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment.
+
+        Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.'
+      example: 666777888999
+    - name: availability_zone
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Availability zone in which this host is running.
+      example: us-east-1c
+    - name: instance.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance ID of the host machine.
+      example: i-1234567890abcdef0
+    - name: instance.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Instance name of the host machine.
+    - name: machine.type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Machine type of the host machine.
+      example: t2.medium
+    - name: provider
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
+      example: aws
+    - name: region
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Region in which this host is running.
+      example: us-east-1
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Unique container id.
+    - name: image.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Name of the image the container was built on.
+    - name: labels
+      level: extended
+      type: object
+      object_type: keyword
+      description: Image labels.
+    - name: name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Container name.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: architecture
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Operating system architecture.
+      example: x86_64
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+    - name: hostname
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Hostname of the host.
+
+        It normally contains what the `hostname` command returns on the host machine.'
+    - name: id
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Unique host id.
+
+        As hostname is not always unique, use values that are meaningful in your environment.
+
+        Example: The current usage of `beat.name`.'
+    - name: ip
+      level: core
+      type: ip
+      description: Host ip addresses.
+    - name: mac
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: Host mac addresses.
+    - name: name
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the host.
+
+        It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.'
+    - name: os.family
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: OS family (such as redhat, debian, freebsd, windows).
+      example: debian
+    - name: os.kernel
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system kernel version as a raw string.
+      example: 4.4.0-112-generic
+    - name: os.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+        - name: text
+          type: text
+          norms: false
+      description: Operating system name, without the version.
+      example: Mac OS X
+    - name: os.platform
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system platform (such centos, ubuntu, windows).
+      example: darwin
+    - name: os.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Operating system version as a raw string.
+      example: 10.14.1
+    - name: type
+      level: core
+      type: keyword
+      ignore_above: 1024
+      description: 'Type of host.
+
+        For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.'
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/endace/data_stream/flow/fields/base.yml b/packages/endace/data_stream/flow/fields/base.yml
new file mode 100644
index 00000000000..0d1791ffed6
--- /dev/null
+++ b/packages/endace/data_stream/flow/fields/base.yml
@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
diff --git a/packages/endace/data_stream/flow/fields/beats.yml b/packages/endace/data_stream/flow/fields/beats.yml
new file mode 100644
index 00000000000..a7cc3bab23d
--- /dev/null
+++ b/packages/endace/data_stream/flow/fields/beats.yml
@@ -0,0 +1,95 @@
+- name: request
+  type: text
+  description: >
+    For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.
+
+- name: response
+  type: text
+  description: >
+    For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.
+
+- name: query
+  type: keyword
+  description: >
+    The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`.
+
+- name: params
+  type: text
+  description: >
+    The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.
+
+- name: status
+  type: keyword
+  description: >
+    The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.
+
+- name: method
+  type: keyword
+  description: >
+    The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).
+
+- name: resource
+  type: keyword
+  description: >
+    The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types.
+
+- name: path
+  type: keyword
+  description: >
+    The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.
+
+- name: type
+  type: keyword
+  description: >
+    The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.
+
+- name: server.process.name
+  type: keyword
+  description: >
+    The name of the process that served the transaction.
+
+- name: server.process.args
+  type: keyword
+  description: >
+    The command-line of the process that served the transaction.
+
+- name: server.process.executable
+  type: keyword
+  description: >
+    Absolute path to the server process executable.
+
+- name: server.process.working_directory
+  type: keyword
+  description: >
+    The working directory of the server process.
+
+- name: server.process.start
+  type: date
+  description: >
+    The time the server process started.
+
+- name: client.process.name
+  type: keyword
+  description: >
+    The name of the process that initiated the transaction.
+
+- name: client.process.args
+  type: keyword
+  description: >
+    The command-line of the process that initiated the transaction.
+
+- name: client.process.executable
+  type: keyword
+  description: >
+    Absolute path to the client process executable.
+
+- name: client.process.working_directory
+  type: keyword
+  description: >
+    The working directory of the client process.
+
+- name: client.process.start
+  type: date
+  description: >
+    The time the client process started.
+
diff --git a/packages/endace/data_stream/flow/fields/ecs.yml b/packages/endace/data_stream/flow/fields/ecs.yml
new file mode 100644
index 00000000000..7b52299ab76
--- /dev/null
+++ b/packages/endace/data_stream/flow/fields/ecs.yml
@@ -0,0 +1,144 @@
+- external: ecs
+  name: client.bytes
+- external: ecs
+  name: client.ip
+- external: ecs
+  name: client.port
+- external: ecs
+  name: destination.bytes
+- external: ecs
+  name: destination.ip
+- external: ecs
+  name: destination.mac
+- external: ecs
+  name: destination.packets
+- external: ecs
+  name: destination.port
+- external: ecs
+  name: ecs.version
+- external: ecs
+  name: event.category
+- external: ecs
+  name: event.dataset
+- external: ecs
+  name: event.duration
+- external: ecs
+  name: event.end
+- external: ecs
+  name: event.kind
+- external: ecs
+  name: event.start
+- external: ecs
+  name: event.type
+- external: ecs
+  name: network.bytes
+- external: ecs
+  name: network.community_id
+- external: ecs
+  name: network.direction
+- external: ecs
+  name: network.forwarded_ip
+- external: ecs
+  name: network.protocol
+- external: ecs
+  name: network.packets
+- external: ecs
+  name: network.transport
+- external: ecs
+  name: network.type
+- external: ecs
+  name: observer.hostname
+- external: ecs
+  name: observer.ip
+- external: ecs
+  name: observer.mac
+- external: ecs
+  name: observer.name
+- external: ecs
+  name: process.name
+- external: ecs
+  name: process.args
+- external: ecs
+  name: process.executable
+- external: ecs
+  name: process.working_directory
+- external: ecs
+  name: process.start
+- external: ecs
+  name: related.hosts
+- external: ecs
+  name: related.ip
+- external: ecs
+  name: server.bytes
+- external: ecs
+  name: server.ip
+- external: ecs
+  name: server.port
+- external: ecs
+  name: source.bytes
+- external: ecs
+  name: source.ip
+- external: ecs
+  name: source.mac
+- external: ecs
+  name: source.port
+- external: ecs
+  name: source.packets
+- external: ecs
+  name: client.geo.city_name
+- external: ecs
+  name: client.geo.continent_name
+- external: ecs
+  name: client.geo.country_iso_code
+- external: ecs
+  name: client.geo.country_name
+- external: ecs
+  name: client.geo.location
+- external: ecs
+  name: client.geo.region_iso_code
+- external: ecs
+  name: client.geo.region_name
+- external: ecs
+  name: destination.geo.city_name
+- external: ecs
+  name: destination.geo.continent_name
+- external: ecs
+  name: destination.geo.country_iso_code
+- external: ecs
+  name: destination.geo.country_name
+- external: ecs
+  name: destination.geo.location
+- external: ecs
+  name: destination.geo.region_iso_code
+- external: ecs
+  name: destination.geo.region_name
+- external: ecs
+  name: server.geo.city_name
+- external: ecs
+  name: server.geo.continent_name
+- external: ecs
+  name: server.geo.country_iso_code
+- external: ecs
+  name: server.geo.country_name
+- external: ecs
+  name: server.geo.location
+- external: ecs
+  name: server.geo.region_iso_code
+- external: ecs
+  name: server.geo.region_name
+- external: ecs
+  name: source.geo.city_name
+- external: ecs
+  name: source.geo.continent_name
+- external: ecs
+  name: source.geo.country_iso_code
+- external: ecs
+  name: source.geo.country_name
+- external: ecs
+  name: source.geo.location
+- external: ecs
+  name: source.geo.region_iso_code
+- external: ecs
+  name: source.geo.region_name
+- external: ecs
+  name: tags
diff --git a/packages/endace/data_stream/flow/fields/protocol.yml b/packages/endace/data_stream/flow/fields/protocol.yml
new file mode 100644
index 00000000000..ba73291c152
--- /dev/null
+++ b/packages/endace/data_stream/flow/fields/protocol.yml
@@ -0,0 +1,15 @@
+- name: flow.final
+  type: boolean
+  description: >
+    Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
+
+- name: flow.id
+  type: keyword
+  description: >
+    Internal flow ID based on connection meta data and address.
+
+- name: flow.vlan
+  type: long
+  description: >
+    VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first.
+
diff --git a/packages/endace/data_stream/flow/fields/protocol_ecs.yml b/packages/endace/data_stream/flow/fields/protocol_ecs.yml
new file mode 100644
index 00000000000..99e3f417fcd
--- /dev/null
+++ b/packages/endace/data_stream/flow/fields/protocol_ecs.yml
@@ -0,0 +1,23 @@
+- name: network_traffic.flow
+  type: group
+  fields:
+    - name: final
+      type: boolean
+      description: >
+        Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
+
+    - name: id
+      type: keyword
+      description: >
+        Internal flow ID based on connection meta data and address.
+
+    - name: vlan
+      type: long
+      description: >
+        VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first.
+
+- name: network_traffic.status
+  type: keyword
+  description: >
+    The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.
+
diff --git a/packages/endace/data_stream/flow/manifest.yml b/packages/endace/data_stream/flow/manifest.yml
new file mode 100644
index 00000000000..ed73beef964
--- /dev/null
+++ b/packages/endace/data_stream/flow/manifest.yml
@@ -0,0 +1,67 @@
+title: Flows
+type: logs
+streams:
+  - input: packet
+    title: Flows
+    description: Track Network Flows
+    template_path: flow.yml.hbs
+    vars:
+      - name: geoip_enrich
+        required: true
+        show_user: true
+        title: GeoIP enrich IP addresses
+        description: Perform GeoIP enrichment on IP addresses in events.
+        type: bool
+        multi: false
+        default: true
+      - name: monitor_processes
+        type: bool
+        title: Monitor Processes
+        description: |-
+          If this option is enabled then network traffic events will be enriched
+          with information about the process associated with the events.
+        show_user: true
+        multi: false
+        required: false
+      - name: period
+        type: text
+        title: Period
+        required: false
+        show_user: false
+        description: Configure the reporting interval. All flows are reported at the very same point in time. Periodical reporting can be disabled by setting the value to -1s. If disabled, flows are still reported once being timed out.
+        default: '10s'
+      - name: timeout
+        type: text
+        title: Flow timeout
+        description: Timeout configures the lifetime of a flow. If no packets have been received for a flow within the timeout time window, the flow is killed and reported. Valid time units are ns, us, ms, s, m, h.
+        required: false
+        show_user: false
+        default: '30s'
+      - name: processors
+        type: yaml
+        title: Processors
+        description: Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+        show_user: false
+        multi: false
+        required: false
+      - name: tags
+        type: text
+        title: Tags
+        description: Tags to include in the published event.
+        show_user: false
+        multi: true
+        required: false
+      - name: map_to_ecs
+        type: bool
+        title: Map root Packetbeat fields to ECS
+        description: |-
+          Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
+          This will rename fields that are moved so the fields will not be present
+          at the root of the document and so any rules that depend on the fields
+          will need to be updated.
+
+          The legacy behaviour of this option is deprecated and users are encouraged
+          to set this option to true. See details in the [package overview describing `map_to_ecs`](../../../integrations/detail/network_traffic/overview).
+        show_user: true
+        multi: false
+        required: false
diff --git a/packages/endace/data_stream/flow/sample_event.json b/packages/endace/data_stream/flow/sample_event.json
new file mode 100644
index 00000000000..c5e261b80aa
--- /dev/null
+++ b/packages/endace/data_stream/flow/sample_event.json
@@ -0,0 +1,86 @@
+{
+    "@timestamp": "2023-10-16T22:40:20.005Z",
+    "agent": {
+        "ephemeral_id": "005dde79-7459-4b47-ae00-972086b4f5db",
+        "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112",
+        "name": "docker-fleet-agent",
+        "type": "packetbeat",
+        "version": "8.6.2"
+    },
+    "data_stream": {
+        "dataset": "endace.flow",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 64,
+        "ip": "::1",
+        "packets": 1,
+        "port": 8000
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "elastic_agent": {
+        "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112",
+        "snapshot": false,
+        "version": "8.6.2"
+    },
+    "event": {
+        "action": "network_flow",
+        "agent_id_status": "verified",
+        "category": [
+            "network"
+        ],
+        "dataset": "endace.flow",
+        "duration": 73561,
+        "end": "2023-10-16T22:39:45.677Z",
+        "ingested": "2023-10-16T22:40:21Z",
+        "kind": "event",
+        "start": "2023-10-16T22:39:45.677Z",
+        "type": [
+            "connection",
+            "end"
+        ]
+    },
+    "flow": {
+        "final": true,
+        "id": "QAT///////8A////IP8AAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAUAfeMg"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": false,
+        "hostname": "docker-fleet-agent",
+        "id": "f91b175388d443fca5c155815dfc2279",
+        "ip": [
+            "172.19.0.7"
+        ],
+        "mac": [
+            "02-42-AC-13-00-07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.15.49-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "20.04.5 LTS (Focal Fossa)"
+        }
+    },
+    "network": {
+        "bytes": 152,
+        "community_id": "1:5y9AkdbV9U8xqD9dhlj6obkubHg=",
+        "packets": 2,
+        "transport": "tcp",
+        "type": "ipv6"
+    },
+    "source": {
+        "bytes": 88,
+        "ip": "::1",
+        "packets": 1,
+        "port": 51320
+    },
+    "type": "flow"
+}
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
new file mode 100644
index 00000000000..2507a856291
--- /dev/null
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
@@ -0,0 +1,3373 @@
+{
+    "events": [
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "network": {
+                "iana_number": 6,
+                "bytes": 719,
+                "packets": 5,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "agent": {
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat"
+            },
+            "client": {
+                "bytes": 719,
+                "packets": 5
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "netflow": {
+                "art_network_time_sum": 0,
+                "flow_end_sys_up_time": 564184158,
+                "responder_octets": 0,
+                "art_count_responses": 0,
+                "initiator_octets": 719,
+                "art_server_response_time_maximum": 0,
+                "ingress_vrfid": 0,
+                "art_count_late_responses": 0,
+                "art_server_response_time_sum": 0,
+                "responder_packets": 0,
+                "waasoptimization_segment": 16,
+                "initiator_packets": 5,
+                "art_response_time_sum": 0,
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "connection_sum_duration_seconds": 0,
+                "protocol_identifier": 6,
+                "art_total_transaction_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "biflow_direction": 1,
+                "ingress_interface": 10,
+                "art_client_network_time_sum": 0,
+                "art_count_transactions": 0,
+                "new_connection_delta_count": 1,
+                "flow_start_sys_up_time": 564184140,
+                "egress_interface": 13,
+                "art_server_network_time_sum": 0,
+                "art_count_retransmissions": 0,
+                "ip_ttl": 49,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "ip_diff_serv_code_point": 0
+            },
+            "server": {
+                "packets": 0,
+                "bytes": 0
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "source": {
+                "packets": 5,
+                "bytes": 719
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "event": {
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "destination": {
+                "packets": 0,
+                "bytes": 0
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "netflow": {
+                "new_connection_delta_count": 1,
+                "art_count_transactions": 0,
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_server_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "initiator_packets": 6,
+                "type": "netflow_flow",
+                "ingress_interface": 10,
+                "art_count_retransmissions": 0,
+                "art_client_network_time_sum": 0,
+                "vlan_id": 0,
+                "connection_sum_duration_seconds": 0,
+                "protocol_identifier": 6,
+                "initiator_octets": 1477,
+                "art_count_responses": 0,
+                "responder_octets": 0,
+                "exporter": {
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z"
+                },
+                "flow_end_sys_up_time": 564184154,
+                "ip_ttl": 49,
+                "biflow_direction": 1,
+                "ip_diff_serv_code_point": 0,
+                "art_total_transaction_time_sum": 0,
+                "art_count_late_responses": 0,
+                "egress_interface": 13,
+                "art_server_response_time_maximum": 0,
+                "responder_packets": 0,
+                "art_total_response_time_sum": 0,
+                "art_network_time_sum": 0,
+                "waasoptimization_segment": 16,
+                "art_server_response_time_sum": 0,
+                "ingress_vrfid": 0,
+                "flow_start_sys_up_time": 564184140
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "client": {
+                "bytes": 1477,
+                "packets": 6
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "source": {
+                "bytes": 1477,
+                "packets": 6
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 1477,
+                "packets": 6,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 1,
+                "packets": 2,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "destination": {
+                "packets": 1,
+                "bytes": 0
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "source": {
+                "packets": 1,
+                "bytes": 1
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "netflow": {
+                "biflow_direction": 1,
+                "waasoptimization_segment": 16,
+                "art_count_responses": 0,
+                "responder_octets": 0,
+                "ingress_vrfid": 0,
+                "initiator_packets": 1,
+                "art_count_late_responses": 0,
+                "ip_ttl": 125,
+                "art_server_response_time_sum": 0,
+                "art_count_transactions": 0,
+                "protocol_identifier": 6,
+                "flow_end_sys_up_time": 564184144,
+                "type": "netflow_flow",
+                "art_server_response_time_maximum": 0,
+                "responder_packets": 1,
+                "ip_diff_serv_code_point": 0,
+                "art_network_time_sum": 0,
+                "connection_sum_duration_seconds": 89,
+                "art_total_response_time_sum": 0,
+                "egress_interface": 10,
+                "flow_start_sys_up_time": 564184142,
+                "art_response_time_sum": 0,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "new_connection_delta_count": 0,
+                "ingress_interface": 13,
+                "vlan_id": 290,
+                "art_client_network_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "art_count_retransmissions": 1,
+                "initiator_octets": 1,
+                "art_server_network_time_sum": 0,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    8
+                ]
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "client": {
+                "bytes": 1,
+                "packets": 1
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "destination": {
+                "packets": 0,
+                "bytes": 0
+            },
+            "netflow": {
+                "art_count_late_responses": 0,
+                "connection_sum_duration_seconds": 0,
+                "art_total_transaction_time_sum": 0,
+                "art_count_transactions": 0,
+                "biflow_direction": 1,
+                "waasoptimization_segment": 16,
+                "responder_packets": 0,
+                "art_response_time_sum": 0,
+                "flow_end_sys_up_time": 564184216,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "ingress_interface": 10,
+                "protocol_identifier": 6,
+                "art_total_response_time_sum": 0,
+                "egress_interface": 13,
+                "initiator_octets": 108580,
+                "new_connection_delta_count": 1,
+                "exporter": {
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512
+                },
+                "vlan_id": 0,
+                "flow_start_sys_up_time": 564184131,
+                "initiator_packets": 79,
+                "art_network_time_sum": 0,
+                "art_client_network_time_sum": 0,
+                "ingress_vrfid": 0,
+                "ip_ttl": 49,
+                "type": "netflow_flow",
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_count_retransmissions": 2,
+                "art_count_responses": 0,
+                "ip_diff_serv_code_point": 0,
+                "responder_octets": 0,
+                "art_server_response_time_sum": 0
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "client": {
+                "packets": 79,
+                "bytes": 108580
+            },
+            "source": {
+                "bytes": 108580,
+                "packets": 79
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 108580,
+                "packets": 79,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "client": {
+                "bytes": 342,
+                "packets": 5
+            },
+            "source": {
+                "packets": 5,
+                "bytes": 342
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "network": {
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 342,
+                "packets": 5
+            },
+            "netflow": {
+                "protocol_identifier": 6,
+                "art_total_response_time_sum": 0,
+                "type": "netflow_flow",
+                "ingress_interface": 10,
+                "waasoptimization_segment": 16,
+                "art_count_retransmissions": 0,
+                "biflow_direction": 1,
+                "art_server_response_time_sum": 0,
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_count_transactions": 0,
+                "responder_octets": 0,
+                "art_server_network_time_sum": 0,
+                "initiator_packets": 5,
+                "art_count_late_responses": 0,
+                "ingress_vrfid": 0,
+                "flow_end_sys_up_time": 564184208,
+                "art_client_network_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "new_connection_delta_count": 1,
+                "initiator_octets": 342,
+                "ip_ttl": 49,
+                "art_count_responses": 0,
+                "art_response_time_sum": 0,
+                "egress_interface": 13,
+                "responder_packets": 0,
+                "connection_sum_duration_seconds": 0,
+                "art_server_response_time_maximum": 0,
+                "art_network_time_sum": 0,
+                "vlan_id": 0,
+                "flow_start_sys_up_time": 564184176,
+                "ip_diff_serv_code_point": 0,
+                "exporter": {
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z"
+                }
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "client": {
+                "bytes": 1851,
+                "packets": 17
+            },
+            "source": {
+                "bytes": 1851,
+                "packets": 17
+            },
+            "netflow": {
+                "initiator_packets": 17,
+                "initiator_octets": 1851,
+                "type": "netflow_flow",
+                "responder_packets": 18,
+                "biflow_direction": 1,
+                "waasoptimization_segment": 16,
+                "art_count_retransmissions": 0,
+                "protocol_identifier": 6,
+                "art_server_response_time_sum": 13,
+                "exporter": {
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512
+                },
+                "art_client_network_time_sum": 2,
+                "ingress_vrfid": 0,
+                "art_total_transaction_time_sum": 100,
+                "art_response_time_sum": 153,
+                "new_connection_delta_count": 2,
+                "art_count_responses": 3,
+                "ip_diff_serv_code_point": 0,
+                "vlan_id": 290,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_server_network_time_sum": 95,
+                "art_count_late_responses": 0,
+                "art_total_response_time_sum": 156,
+                "ip_ttl": 125,
+                "art_server_response_time_maximum": 8,
+                "connection_sum_duration_seconds": 24,
+                "art_network_time_sum": 97,
+                "flow_end_sys_up_time": 564197394,
+                "art_count_transactions": 2,
+                "flow_start_sys_up_time": 564184067,
+                "ingress_interface": 13,
+                "egress_interface": 10,
+                "responder_octets": 9437
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "server": {
+                "bytes": 9437,
+                "packets": 18
+            },
+            "event": {
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "destination": {
+                "bytes": 9437,
+                "packets": 18
+            },
+            "network": {
+                "bytes": 11288,
+                "packets": 35,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "source": {
+                "bytes": 51480,
+                "packets": 39
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "netflow": {
+                "flow_start_sys_up_time": 564184182,
+                "ip_diff_serv_code_point": 0,
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "waasoptimization_segment": 16,
+                "art_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "type": "netflow_flow",
+                "art_server_response_time_maximum": 0,
+                "ingress_vrfid": 0,
+                "responder_packets": 0,
+                "exporter": {
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z"
+                },
+                "art_count_retransmissions": 0,
+                "responder_octets": 0,
+                "ip_ttl": 49,
+                "art_total_response_time_sum": 0,
+                "initiator_packets": 39,
+                "ingress_interface": 10,
+                "art_server_response_time_sum": 0,
+                "initiator_octets": 51480,
+                "egress_interface": 13,
+                "art_server_network_time_sum": 0,
+                "art_client_network_time_sum": 0,
+                "new_connection_delta_count": 1,
+                "art_response_time_sum": 0,
+                "vlan_id": 0,
+                "protocol_identifier": 6,
+                "connection_sum_duration_seconds": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "art_count_transactions": 0,
+                "flow_end_sys_up_time": 564184216
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "server": {
+                "packets": 0,
+                "bytes": 0
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "client": {
+                "bytes": 51480,
+                "packets": 39
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 51480,
+                "packets": 39,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "destination": {
+                "bytes": 36894,
+                "packets": 47
+            },
+            "network": {
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 42029,
+                "packets": 102,
+                "direction": "unknown"
+            },
+            "server": {
+                "bytes": 36894,
+                "packets": 47
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "netflow": {
+                "responder_packets": 47,
+                "egress_interface": 10,
+                "art_client_network_time_sum": 10,
+                "art_response_time_sum": 516,
+                "ip_diff_serv_code_point": 0,
+                "art_count_late_responses": 0,
+                "art_count_transactions": 14,
+                "ip_ttl": 126,
+                "art_count_responses": 15,
+                "responder_octets": 36894,
+                "connection_sum_duration_seconds": 35,
+                "protocol_identifier": 6,
+                "new_connection_delta_count": 6,
+                "art_server_response_time_maximum": 27,
+                "art_server_response_time_sum": 117,
+                "art_server_network_time_sum": 364,
+                "art_total_response_time_sum": 541,
+                "art_total_transaction_time_sum": 512,
+                "biflow_direction": 1,
+                "art_count_retransmissions": 0,
+                "ingress_interface": 13,
+                "initiator_packets": 55,
+                "ingress_vrfid": 0,
+                "vlan_id": 290,
+                "type": "netflow_flow",
+                "initiator_octets": 5135,
+                "art_network_time_sum": 374,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "exporter": {
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809"
+                },
+                "flow_end_sys_up_time": 564203810,
+                "flow_start_sys_up_time": 564184040,
+                "waasoptimization_segment": 16
+            },
+            "client": {
+                "bytes": 5135,
+                "packets": 55
+            },
+            "flow": {
+                "locality": "internal",
+                "id": "Vhs9T5k296w"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "source": {
+                "packets": 55,
+                "bytes": 5135
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "client": {
+                "bytes": 6533,
+                "packets": 14
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "server": {
+                "bytes": 6400,
+                "packets": 20
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "source": {
+                "packets": 14,
+                "bytes": 6533
+            },
+            "destination": {
+                "bytes": 6400,
+                "packets": 20
+            },
+            "network": {
+                "iana_number": 6,
+                "bytes": 12933,
+                "packets": 34,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp"
+            },
+            "netflow": {
+                "responder_packets": 14,
+                "art_count_responses": 6,
+                "vlan_id": 0,
+                "new_connection_delta_count": 2,
+                "ingress_interface": 10,
+                "art_total_response_time_sum": 138,
+                "art_server_response_time_maximum": 31,
+                "ip_diff_serv_code_point": 0,
+                "art_server_response_time_sum": 78,
+                "art_count_retransmissions": 1,
+                "art_total_transaction_time_sum": 123,
+                "initiator_packets": 20,
+                "ip_ttl": 61,
+                "type": "netflow_flow",
+                "ingress_vrfid": 0,
+                "protocol_identifier": 6,
+                "art_server_network_time_sum": 18,
+                "art_count_transactions": 6,
+                "flow_start_sys_up_time": 564184163,
+                "exporter": {
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512
+                },
+                "art_network_time_sum": 23,
+                "egress_interface": 13,
+                "responder_octets": 6533,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "biflow_direction": 2,
+                "waasoptimization_segment": 16,
+                "initiator_octets": 6400,
+                "flow_end_sys_up_time": 564200378,
+                "connection_sum_duration_seconds": 64,
+                "art_count_late_responses": 0,
+                "art_response_time_sum": 123,
+                "art_client_network_time_sum": 5
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "event": {
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z"
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "source": {
+                "bytes": 5684,
+                "packets": 491
+            },
+            "network": {
+                "packets": 491,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 5684
+            },
+            "netflow": {
+                "new_connection_delta_count": 0,
+                "art_count_retransmissions": 0,
+                "vlan_id": 290,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "art_server_response_time_sum": 0,
+                "biflow_direction": 1,
+                "art_count_responses": 0,
+                "art_total_transaction_time_sum": 0,
+                "art_response_time_sum": 0,
+                "initiator_octets": 5684,
+                "ingress_vrfid": 0,
+                "responder_packets": 0,
+                "application_id": [
+                    13,
+                    0,
+                    0,
+                    49
+                ],
+                "connection_sum_duration_seconds": 109,
+                "art_total_response_time_sum": 0,
+                "type": "netflow_flow",
+                "flow_start_sys_up_time": 564184196,
+                "egress_interface": 10,
+                "ingress_interface": 13,
+                "art_server_network_time_sum": 0,
+                "ip_diff_serv_code_point": 0,
+                "initiator_packets": 491,
+                "ip_ttl": 125,
+                "responder_octets": 0,
+                "waasoptimization_segment": 16,
+                "art_network_time_sum": 0,
+                "protocol_identifier": 6,
+                "art_server_response_time_maximum": 0,
+                "art_count_late_responses": 0,
+                "art_client_network_time_sum": 0,
+                "flow_end_sys_up_time": 564185840,
+                "art_count_transactions": 0
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "client": {
+                "bytes": 5684,
+                "packets": 491
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "client": {
+                "bytes": 4965,
+                "packets": 13
+            },
+            "server": {
+                "packets": 0,
+                "bytes": 0
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "source": {
+                "bytes": 4965,
+                "packets": 13
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "netflow": {
+                "protocol_identifier": 6,
+                "art_server_response_time_maximum": 0,
+                "new_connection_delta_count": 1,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "type": "netflow_flow",
+                "art_count_responses": 0,
+                "art_server_network_time_sum": 0,
+                "responder_packets": 0,
+                "ingress_interface": 13,
+                "biflow_direction": 1,
+                "ip_diff_serv_code_point": 0,
+                "initiator_packets": 13,
+                "ingress_vrfid": 0,
+                "art_count_transactions": 0,
+                "art_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "connection_sum_duration_seconds": 0,
+                "flow_end_sys_up_time": 564184254,
+                "vlan_id": 290,
+                "initiator_octets": 4965,
+                "waasoptimization_segment": 16,
+                "responder_octets": 0,
+                "art_count_late_responses": 0,
+                "art_total_response_time_sum": 0,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_server_response_time_sum": 0,
+                "flow_start_sys_up_time": 564184154,
+                "ip_ttl": 125,
+                "art_count_retransmissions": 0,
+                "art_network_time_sum": 0,
+                "egress_interface": 10,
+                "art_client_network_time_sum": 0
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "agent": {
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75"
+            },
+            "network": {
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 4965,
+                "packets": 13,
+                "direction": "unknown"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "server": {
+                "packets": 2,
+                "bytes": 0
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c"
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event"
+            },
+            "client": {
+                "bytes": 138,
+                "packets": 4
+            },
+            "network": {
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 138,
+                "packets": 6,
+                "direction": "unknown"
+            },
+            "netflow": {
+                "protocol_identifier": 6,
+                "ingress_interface": 10,
+                "vlan_id": 0,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_count_responses": 0,
+                "art_total_response_time_sum": 0,
+                "connection_sum_duration_seconds": 239,
+                "responder_octets": 138,
+                "art_count_retransmissions": 0,
+                "ingress_vrfid": 0,
+                "initiator_packets": 2,
+                "new_connection_delta_count": 0,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "art_client_network_time_sum": 0,
+                "flow_start_sys_up_time": 564184214,
+                "biflow_direction": 2,
+                "art_network_time_sum": 0,
+                "type": "netflow_flow",
+                "art_count_late_responses": 0,
+                "art_count_transactions": 2,
+                "flow_end_sys_up_time": 564184362,
+                "egress_interface": 13,
+                "ip_diff_serv_code_point": 0,
+                "responder_packets": 4,
+                "art_response_time_sum": 0,
+                "art_total_transaction_time_sum": 119878,
+                "initiator_octets": 0,
+                "art_server_response_time_sum": 0,
+                "ip_ttl": 61,
+                "waasoptimization_segment": 16
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "source": {
+                "bytes": 138,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "netflow": {
+                "waasoptimization_segment": 16,
+                "art_total_transaction_time_sum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_count_responses": 0,
+                "ingress_interface": 13,
+                "art_server_network_time_sum": 0,
+                "art_client_network_time_sum": 0,
+                "flow_end_sys_up_time": 564184220,
+                "ingress_vrfid": 0,
+                "biflow_direction": 1,
+                "ip_ttl": 125,
+                "initiator_packets": 1,
+                "vlan_id": 290,
+                "ip_diff_serv_code_point": 0,
+                "art_count_retransmissions": 1,
+                "egress_interface": 10,
+                "art_response_time_sum": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "exporter": {
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809"
+                },
+                "type": "netflow_flow",
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "connection_sum_duration_seconds": 44,
+                "art_count_late_responses": 0,
+                "flow_start_sys_up_time": 564184220,
+                "protocol_identifier": 6,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    8
+                ],
+                "initiator_octets": 1,
+                "new_connection_delta_count": 0,
+                "art_server_response_time_maximum": 0
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "packets": 1,
+                "bytes": 1
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 1,
+                "packets": 1,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "client": {
+                "packets": 1,
+                "bytes": 1
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "input": {
+                "type": "netflow"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "netflow": {
+                "art_count_responses": 3,
+                "egress_interface": 13,
+                "initiator_octets": 1571,
+                "ingress_vrfid": 0,
+                "connection_sum_duration_seconds": 62,
+                "art_server_network_time_sum": 146,
+                "art_client_network_time_sum": 3,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_count_late_responses": 0,
+                "art_server_response_time_maximum": 3,
+                "art_total_response_time_sum": 453,
+                "type": "netflow_flow",
+                "ip_diff_serv_code_point": 0,
+                "exporter": {
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809"
+                },
+                "protocol_identifier": 6,
+                "ip_ttl": 220,
+                "waasoptimization_segment": 16,
+                "responder_octets": 6079,
+                "vlan_id": 0,
+                "art_server_response_time_sum": 6,
+                "initiator_packets": 13,
+                "art_count_retransmissions": 0,
+                "flow_end_sys_up_time": 564215068,
+                "responder_packets": 10,
+                "flow_start_sys_up_time": 564184067,
+                "ingress_interface": 10,
+                "art_response_time_sum": 444,
+                "biflow_direction": 2,
+                "art_network_time_sum": 149,
+                "art_count_transactions": 2,
+                "new_connection_delta_count": 1,
+                "art_total_transaction_time_sum": 296
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "client": {
+                "packets": 10,
+                "bytes": 6079
+            },
+            "network": {
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 7650,
+                "packets": 23
+            },
+            "server": {
+                "bytes": 1571,
+                "packets": 13
+            },
+            "source": {
+                "bytes": 6079,
+                "packets": 10
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "destination": {
+                "bytes": 1571,
+                "packets": 13
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "client": {
+                "packets": 6,
+                "bytes": 2807
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session"
+            },
+            "network": {
+                "packets": 6,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 2807
+            },
+            "source": {
+                "packets": 6,
+                "bytes": 2807
+            },
+            "netflow": {
+                "biflow_direction": 1,
+                "art_response_time_sum": 0,
+                "responder_packets": 0,
+                "waasoptimization_segment": 16,
+                "egress_interface": 13,
+                "art_count_responses": 0,
+                "ingress_vrfid": 0,
+                "connection_sum_duration_seconds": 0,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "vlan_id": 0,
+                "art_count_late_responses": 0,
+                "type": "netflow_flow",
+                "ip_diff_serv_code_point": 0,
+                "flow_start_sys_up_time": 564183878,
+                "art_server_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_count_transactions": 0,
+                "responder_octets": 0,
+                "art_client_network_time_sum": 0,
+                "protocol_identifier": 6,
+                "initiator_packets": 6,
+                "initiator_octets": 2807,
+                "art_server_response_time_maximum": 0,
+                "art_network_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "flow_end_sys_up_time": 564184252,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 1,
+                "ingress_interface": 10,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_count_retransmissions": 0
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "event": {
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "network": {
+                "packets": 1,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 0
+            },
+            "source": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "netflow": {
+                "ip_diff_serv_code_point": 0,
+                "new_connection_delta_count": 0,
+                "art_server_network_time_sum": 0,
+                "protocol_identifier": 6,
+                "exporter": {
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z"
+                },
+                "initiator_packets": 1,
+                "ingress_vrfid": 0,
+                "art_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "ingress_interface": 1,
+                "vlan_id": 0,
+                "type": "netflow_flow",
+                "art_count_responses": 0,
+                "art_client_network_time_sum": 0,
+                "art_server_response_time_sum": 0,
+                "waasoptimization_segment": 16,
+                "initiator_octets": 0,
+                "art_count_transactions": 0,
+                "responder_packets": 0,
+                "art_total_response_time_sum": 0,
+                "ip_ttl": 124,
+                "biflow_direction": 1,
+                "flow_end_sys_up_time": 564184248,
+                "egress_interface": 4,
+                "responder_octets": 0,
+                "art_network_time_sum": 0,
+                "connection_sum_duration_seconds": 59,
+                "flow_start_sys_up_time": 564184248,
+                "art_count_retransmissions": 0,
+                "art_server_response_time_maximum": 0,
+                "art_count_late_responses": 0,
+                "application_id": [
+                    13,
+                    0,
+                    0,
+                    1
+                ]
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "client": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "network": {
+                "packets": 18,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 5286
+            },
+            "client": {
+                "bytes": 1877,
+                "packets": 11
+            },
+            "destination": {
+                "bytes": 3409,
+                "packets": 7
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "server": {
+                "bytes": 3409,
+                "packets": 7
+            },
+            "source": {
+                "bytes": 1877,
+                "packets": 11
+            },
+            "agent": {
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "netflow": {
+                "responder_packets": 7,
+                "ingress_interface": 13,
+                "art_server_response_time_sum": 7,
+                "ip_ttl": 125,
+                "initiator_packets": 11,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "ingress_vrfid": 0,
+                "biflow_direction": 1,
+                "art_count_transactions": 4,
+                "art_server_network_time_sum": 4,
+                "art_count_responses": 4,
+                "type": "netflow_flow",
+                "art_total_transaction_time_sum": 23,
+                "ip_diff_serv_code_point": 0,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "flow_end_sys_up_time": 564200378,
+                "art_count_late_responses": 0,
+                "art_count_retransmissions": 0,
+                "vlan_id": 290,
+                "initiator_octets": 1877,
+                "responder_octets": 3409,
+                "flow_start_sys_up_time": 564184251,
+                "egress_interface": 10,
+                "art_server_response_time_maximum": 3,
+                "waasoptimization_segment": 16,
+                "connection_sum_duration_seconds": 32,
+                "art_network_time_sum": 6,
+                "new_connection_delta_count": 1,
+                "art_client_network_time_sum": 2,
+                "art_response_time_sum": 23,
+                "art_total_response_time_sum": 31,
+                "protocol_identifier": 6
+            },
+            "flow": {
+                "locality": "internal",
+                "id": "Vhs9T5k296w"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "network": {
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 2255,
+                "packets": 7,
+                "direction": "unknown"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "source": {
+                "bytes": 2255,
+                "packets": 7
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "client": {
+                "bytes": 2255,
+                "packets": 7
+            },
+            "server": {
+                "packets": 0,
+                "bytes": 0
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat"
+            },
+            "netflow": {
+                "ip_ttl": 61,
+                "art_network_time_sum": 0,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "art_count_retransmissions": 0,
+                "egress_interface": 13,
+                "biflow_direction": 1,
+                "vlan_id": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "new_connection_delta_count": 1,
+                "connection_sum_duration_seconds": 0,
+                "type": "netflow_flow",
+                "art_count_late_responses": 0,
+                "flow_start_sys_up_time": 564184040,
+                "art_response_time_sum": 0,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "art_client_network_time_sum": 0,
+                "protocol_identifier": 6,
+                "art_count_responses": 0,
+                "art_server_network_time_sum": 0,
+                "ingress_vrfid": 0,
+                "ingress_interface": 10,
+                "waasoptimization_segment": 16,
+                "initiator_packets": 7,
+                "art_server_response_time_maximum": 0,
+                "art_count_transactions": 0,
+                "ip_diff_serv_code_point": 0,
+                "art_total_transaction_time_sum": 0,
+                "initiator_octets": 2255,
+                "flow_end_sys_up_time": 564184286
+            },
+            "ecs": {
+                "version": "1.8.0"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "source": {
+                "packets": 5,
+                "bytes": 538
+            },
+            "netflow": {
+                "initiator_packets": 5,
+                "waasoptimization_segment": 16,
+                "art_total_transaction_time_sum": 0,
+                "vlan_id": 0,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "flow_start_sys_up_time": 564184284,
+                "ingress_interface": 10,
+                "connection_sum_duration_seconds": 0,
+                "biflow_direction": 1,
+                "art_server_response_time_sum": 0,
+                "responder_packets": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_network_time_sum": 0,
+                "responder_octets": 0,
+                "art_client_network_time_sum": 0,
+                "ingress_vrfid": 0,
+                "art_count_late_responses": 0,
+                "ip_ttl": 49,
+                "art_server_response_time_maximum": 0,
+                "type": "netflow_flow",
+                "ip_diff_serv_code_point": 0,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "art_server_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "egress_interface": 13,
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "initiator_octets": 538,
+                "art_count_transactions": 0,
+                "flow_end_sys_up_time": 564184314
+            },
+            "event": {
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow"
+            },
+            "client": {
+                "packets": 5,
+                "bytes": 538
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 538,
+                "packets": 5,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "network": {
+                "packets": 36,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 7792
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "event": {
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow"
+            },
+            "source": {
+                "bytes": 1487,
+                "packets": 21
+            },
+            "netflow": {
+                "art_server_response_time_maximum": 25,
+                "art_network_time_sum": 9,
+                "ip_diff_serv_code_point": 0,
+                "art_total_transaction_time_sum": 59870,
+                "art_count_late_responses": 0,
+                "responder_octets": 6305,
+                "art_total_response_time_sum": 77,
+                "flow_start_sys_up_time": 564184296,
+                "exporter": {
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z"
+                },
+                "biflow_direction": 1,
+                "art_server_response_time_sum": 55,
+                "connection_sum_duration_seconds": 181,
+                "art_count_retransmissions": 0,
+                "waasoptimization_segment": 16,
+                "egress_interface": 10,
+                "new_connection_delta_count": 2,
+                "flow_end_sys_up_time": 564214304,
+                "initiator_packets": 21,
+                "vlan_id": 290,
+                "art_count_transactions": 5,
+                "art_server_network_time_sum": 7,
+                "ip_ttl": 125,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    102
+                ],
+                "art_client_network_time_sum": 2,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1487,
+                "art_count_responses": 5,
+                "art_response_time_sum": 72,
+                "responder_packets": 15,
+                "ingress_interface": 13,
+                "type": "netflow_flow",
+                "protocol_identifier": 6
+            },
+            "destination": {
+                "bytes": 6305,
+                "packets": 15
+            },
+            "server": {
+                "bytes": 6305,
+                "packets": 15
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1487,
+                "packets": 21
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "server": {
+                "bytes": 1973,
+                "packets": 10
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "netflow": {
+                "art_server_response_time_maximum": 14,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "vlan_id": 0,
+                "art_client_network_time_sum": 2,
+                "responder_packets": 7,
+                "initiator_octets": 1973,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "flow_end_sys_up_time": 564200376,
+                "art_total_transaction_time_sum": 39,
+                "biflow_direction": 2,
+                "art_count_retransmissions": 0,
+                "waasoptimization_segment": 16,
+                "ip_diff_serv_code_point": 0,
+                "ingress_interface": 10,
+                "art_server_response_time_sum": 15,
+                "initiator_packets": 10,
+                "art_count_responses": 3,
+                "art_server_network_time_sum": 10,
+                "connection_sum_duration_seconds": 32,
+                "art_response_time_sum": 39,
+                "protocol_identifier": 6,
+                "flow_start_sys_up_time": 564184268,
+                "egress_interface": 13,
+                "art_count_transactions": 3,
+                "art_network_time_sum": 12,
+                "art_count_late_responses": 0,
+                "type": "netflow_flow",
+                "new_connection_delta_count": 1,
+                "responder_octets": 3110,
+                "ingress_vrfid": 0,
+                "ip_ttl": 61,
+                "art_total_response_time_sum": 45
+            },
+            "client": {
+                "bytes": 3110,
+                "packets": 7
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "source": {
+                "bytes": 3110,
+                "packets": 7
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "destination": {
+                "packets": 10,
+                "bytes": 1973
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 5083,
+                "packets": 17,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "server": {
+                "bytes": 2,
+                "packets": 4
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "destination": {
+                "bytes": 2,
+                "packets": 4
+            },
+            "client": {
+                "packets": 4,
+                "bytes": 2
+            },
+            "event": {
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ]
+            },
+            "source": {
+                "bytes": 2,
+                "packets": 4
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "network": {
+                "bytes": 4,
+                "packets": 8,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6
+            },
+            "netflow": {
+                "art_count_responses": 0,
+                "flow_start_sys_up_time": 564184300,
+                "flow_end_sys_up_time": 564214242,
+                "waasoptimization_segment": 16,
+                "art_response_time_sum": 0,
+                "art_client_network_time_sum": 0,
+                "initiator_octets": 2,
+                "initiator_packets": 4,
+                "ip_diff_serv_code_point": 0,
+                "art_total_response_time_sum": 0,
+                "ip_ttl": 124,
+                "art_count_retransmissions": 2,
+                "protocol_identifier": 6,
+                "responder_packets": 4,
+                "type": "netflow_flow",
+                "application_id": [
+                    3,
+                    0,
+                    5,
+                    153
+                ],
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "egress_interface": 13,
+                "ingress_interface": 10,
+                "vlan_id": 0,
+                "art_count_late_responses": 0,
+                "new_connection_delta_count": 0,
+                "art_total_transaction_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "biflow_direction": 2,
+                "art_server_response_time_maximum": 0,
+                "responder_octets": 2,
+                "ingress_vrfid": 0,
+                "exporter": {
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512
+                },
+                "art_server_response_time_sum": 0,
+                "connection_sum_duration_seconds": 119
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "agent": {
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "network": {
+                "packets": 4,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 2
+            },
+            "netflow": {
+                "flow_start_sys_up_time": 564184306,
+                "art_network_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "flow_end_sys_up_time": 564184580,
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "new_connection_delta_count": 0,
+                "biflow_direction": 1,
+                "waasoptimization_segment": 16,
+                "exporter": {
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809"
+                },
+                "vlan_id": 290,
+                "art_total_transaction_time_sum": 0,
+                "initiator_packets": 2,
+                "art_server_network_time_sum": 0,
+                "egress_interface": 10,
+                "ip_diff_serv_code_point": 0,
+                "protocol_identifier": 6,
+                "art_response_time_sum": 0,
+                "ip_ttl": 125,
+                "art_count_responses": 0,
+                "initiator_octets": 2,
+                "art_server_response_time_maximum": 0,
+                "type": "netflow_flow",
+                "responder_packets": 2,
+                "art_server_response_time_sum": 0,
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "connection_sum_duration_seconds": 179,
+                "art_count_transactions": 0,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "art_count_retransmissions": 2,
+                "responder_octets": 0
+            },
+            "source": {
+                "bytes": 2,
+                "packets": 2
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "server": {
+                "packets": 2,
+                "bytes": 0
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "event": {
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "client": {
+                "bytes": 2,
+                "packets": 2
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "agent": {
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "event": {
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "source": {
+                "bytes": 0,
+                "packets": 4
+            },
+            "network": {
+                "packets": 6,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 0
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "client": {
+                "bytes": 0,
+                "packets": 4
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "netflow": {
+                "art_server_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "ip_diff_serv_code_point": 0,
+                "art_response_time_sum": 0,
+                "flow_start_sys_up_time": 564184326,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "biflow_direction": 1,
+                "ip_ttl": 125,
+                "responder_packets": 2,
+                "responder_octets": 0,
+                "art_server_response_time_maximum": 0,
+                "initiator_packets": 4,
+                "type": "netflow_flow",
+                "art_total_transaction_time_sum": 18,
+                "egress_interface": 10,
+                "flow_end_sys_up_time": 564184326,
+                "art_total_response_time_sum": 0,
+                "vlan_id": 290,
+                "waasoptimization_segment": 16,
+                "ingress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "initiator_octets": 0,
+                "art_client_network_time_sum": 0,
+                "connection_sum_duration_seconds": 119,
+                "art_network_time_sum": 0,
+                "art_count_retransmissions": 0,
+                "art_count_late_responses": 0,
+                "art_count_transactions": 2,
+                "ingress_vrfid": 0,
+                "protocol_identifier": 6,
+                "new_connection_delta_count": 0,
+                "art_count_responses": 0
+            },
+            "host": {
+                "name": "mbp.local"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "network": {
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 1179,
+                "packets": 7,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "server": {
+                "bytes": 174,
+                "packets": 3
+            },
+            "destination": {
+                "bytes": 174,
+                "packets": 3
+            },
+            "netflow": {
+                "waasoptimization_segment": 16,
+                "initiator_packets": 4,
+                "art_count_retransmissions": 1,
+                "flow_start_sys_up_time": 564184326,
+                "connection_sum_duration_seconds": 119,
+                "initiator_octets": 1005,
+                "application_id": [
+                    3,
+                    0,
+                    5,
+                    153
+                ],
+                "ingress_interface": 13,
+                "art_server_response_time_sum": 5,
+                "responder_packets": 3,
+                "ip_ttl": 125,
+                "art_client_network_time_sum": 0,
+                "art_count_transactions": 1,
+                "art_total_transaction_time_sum": 12,
+                "protocol_identifier": 6,
+                "art_network_time_sum": 0,
+                "new_connection_delta_count": 0,
+                "art_server_response_time_maximum": 5,
+                "art_response_time_sum": 5,
+                "type": "netflow_flow",
+                "responder_octets": 174,
+                "art_server_network_time_sum": 0,
+                "art_count_responses": 1,
+                "egress_interface": 10,
+                "flow_end_sys_up_time": 564214476,
+                "biflow_direction": 1,
+                "ingress_vrfid": 0,
+                "art_total_response_time_sum": 8,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0
+                },
+                "ip_diff_serv_code_point": 0,
+                "vlan_id": 290,
+                "art_count_late_responses": 0
+            },
+            "event": {
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z"
+            },
+            "client": {
+                "bytes": 1005,
+                "packets": 4
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "agent": {
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0",
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75"
+            },
+            "source": {
+                "bytes": 1005,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "netflow": {
+                "art_server_network_time_sum": 0,
+                "vlan_id": 0,
+                "art_count_transactions": 2,
+                "responder_packets": 4,
+                "type": "netflow_flow",
+                "ingress_interface": 10,
+                "flow_end_sys_up_time": 564184490,
+                "protocol_identifier": 6,
+                "ingress_vrfid": 0,
+                "initiator_octets": 0,
+                "exporter": {
+                    "version": 10,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512
+                },
+                "art_total_transaction_time_sum": 119644,
+                "art_response_time_sum": 0,
+                "responder_octets": 138,
+                "art_client_network_time_sum": 0,
+                "initiator_packets": 2,
+                "flow_start_sys_up_time": 564184336,
+                "ip_diff_serv_code_point": 0,
+                "connection_sum_duration_seconds": 238,
+                "egress_interface": 13,
+                "art_total_response_time_sum": 0,
+                "waasoptimization_segment": 16,
+                "art_network_time_sum": 0,
+                "art_server_response_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_count_late_responses": 0,
+                "art_count_retransmissions": 0,
+                "biflow_direction": 2,
+                "art_count_responses": 0,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "new_connection_delta_count": 0,
+                "ip_ttl": 61
+            },
+            "network": {
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 138,
+                "packets": 6,
+                "direction": "unknown"
+            },
+            "source": {
+                "packets": 4,
+                "bytes": 138
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "event": {
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "category": "network_session"
+            },
+            "client": {
+                "bytes": 138,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "host": {
+                "name": "mbp.local"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "netflow": {
+                "art_total_response_time_sum": 0,
+                "initiator_octets": 0,
+                "flow_end_sys_up_time": 564184350,
+                "art_network_time_sum": 0,
+                "ingress_interface": 10,
+                "responder_octets": 31,
+                "art_server_response_time_sum": 0,
+                "art_count_transactions": 1,
+                "ingress_vrfid": 0,
+                "vlan_id": 0,
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "biflow_direction": 2,
+                "new_connection_delta_count": 0,
+                "initiator_packets": 1,
+                "art_client_network_time_sum": 0,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "art_response_time_sum": 0,
+                "type": "netflow_flow",
+                "art_count_responses": 0,
+                "waasoptimization_segment": 16,
+                "art_count_retransmissions": 0,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 43,
+                "art_count_late_responses": 0,
+                "art_total_transaction_time_sum": 59790,
+                "protocol_identifier": 6,
+                "flow_start_sys_up_time": 564184348,
+                "responder_packets": 2,
+                "art_server_response_time_maximum": 0,
+                "art_server_network_time_sum": 0,
+                "connection_sum_duration_seconds": 119,
+                "egress_interface": 13
+            },
+            "network": {
+                "iana_number": 6,
+                "bytes": 31,
+                "packets": 3,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "client": {
+                "bytes": 31,
+                "packets": 2
+            },
+            "source": {
+                "bytes": 31,
+                "packets": 2
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "server": {
+                "packets": 1,
+                "bytes": 0
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event"
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "input": {
+                "type": "netflow"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "event": {
+                "category": "network_session",
+                "action": "netflow_flow",
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event"
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "client": {
+                "bytes": 13482,
+                "packets": 17
+            },
+            "destination": {
+                "bytes": 8989,
+                "packets": 19
+            },
+            "server": {
+                "bytes": 8989,
+                "packets": 19
+            },
+            "source": {
+                "bytes": 13482,
+                "packets": 17
+            },
+            "network": {
+                "packets": 36,
+                "direction": "unknown",
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 22471
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "responder_packets": 17,
+                "new_connection_delta_count": 1,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 6,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "art_count_responses": 6,
+                "art_server_response_time_sum": 33,
+                "flow_end_sys_up_time": 564184586,
+                "art_total_transaction_time_sum": 43,
+                "egress_interface": 13,
+                "flow_start_sys_up_time": 564184356,
+                "art_network_time_sum": 3,
+                "initiator_packets": 19,
+                "type": "netflow_flow",
+                "art_response_time_sum": 33,
+                "ingress_interface": 10,
+                "art_server_network_time_sum": 0,
+                "waasoptimization_segment": 16,
+                "ingress_vrfid": 0,
+                "art_client_network_time_sum": 3,
+                "protocol_identifier": 6,
+                "responder_octets": 13482,
+                "ip_diff_serv_code_point": 0,
+                "art_total_response_time_sum": 51,
+                "art_count_late_responses": 0,
+                "ip_ttl": 124,
+                "art_server_response_time_maximum": 28,
+                "vlan_id": 0,
+                "biflow_direction": 2,
+                "initiator_octets": 8989,
+                "connection_sum_duration_seconds": 0
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "network": {
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "transport": "tcp",
+                "iana_number": 6,
+                "bytes": 261718,
+                "packets": 369,
+                "direction": "unknown"
+            },
+            "netflow": {
+                "ip_diff_serv_code_point": 0,
+                "connection_sum_duration_seconds": 116,
+                "art_count_transactions": 25,
+                "egress_interface": 13,
+                "new_connection_delta_count": 8,
+                "vlan_id": 0,
+                "biflow_direction": 2,
+                "art_response_time_sum": 301,
+                "art_total_response_time_sum": 363,
+                "art_network_time_sum": 58,
+                "art_server_network_time_sum": 38,
+                "type": "netflow_flow",
+                "flow_end_sys_up_time": 564215336,
+                "art_server_response_time_maximum": 31,
+                "art_server_response_time_sum": 168,
+                "ip_ttl": 61,
+                "art_total_transaction_time_sum": 332,
+                "responder_octets": 28373,
+                "protocol_identifier": 6,
+                "ingress_interface": 10,
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "responder_packets": 133,
+                "art_count_responses": 25,
+                "art_count_late_responses": 0,
+                "flow_start_sys_up_time": 564184380,
+                "ingress_vrfid": 0,
+                "waasoptimization_segment": 16,
+                "art_count_retransmissions": 4,
+                "exporter": {
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "version": 10
+                },
+                "initiator_octets": 233345,
+                "initiator_packets": 236,
+                "art_client_network_time_sum": 20
+            },
+            "client": {
+                "bytes": 28373,
+                "packets": 133
+            },
+            "server": {
+                "bytes": 233345,
+                "packets": 236
+            },
+            "source": {
+                "bytes": 28373,
+                "packets": 133
+            },
+            "observer": {
+                "ip": "127.0.0.1"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "flow": {
+                "locality": "internal",
+                "id": "Vhs9T5k296w"
+            },
+            "destination": {
+                "packets": 236,
+                "bytes": 233345
+            },
+            "event": {
+                "type": [
+                    "connection"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "category": "network_session",
+                "action": "netflow_flow"
+            },
+            "ecs": {
+                "version": "1.8.0"
+            },
+            "host": {
+                "name": "mbp.local"
+            }
+        },
+        {
+            "@timestamp": "2020-04-16T23:22:51Z",
+            "destination": {
+                "ip": "10.36.236.100",
+                "locality": "internal",
+                "port": 54594
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "6mUV1nPVG80",
+                "locality": "internal"
+            },
+            "netflow": {
+                "destination_ipv4_address": "10.36.236.100",
+                "destination_transport_port": 54594,
+                "egress_interface": 1,
+                "exporter": {
+                    "address": "81.2.69.144:10000",
+                    "source_id": 1,
+                    "timestamp": "2020-04-16T23:22:51Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_milliseconds": "2020-04-16T23:22:48.963Z",
+                "flow_end_reason": 3,
+                "flow_start_milliseconds": "2020-04-16T23:22:48.96Z",
+                "ingress_interface": 1,
+                "octet_delta_count": 1855,
+                "packet_delta_count": 5,
+                "protocol_identifier": 6,
+                "source_ipv4_address": "10.127.32.11",
+                "source_transport_port": 53,
+                "tcp_control_bits": 27,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "bytes": 1855,
+                "community_id": "1:+/kh1SKruHHnZ5JGSMfWk9nZx8o=",
+                "direction": "unknown",
+                "iana_number": 6,
+                "packets": 5,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": "81.2.69.144"
+            },
+            "related": {
+                "ip": [
+                    "10.36.236.100",
+                    "10.127.32.11"
+                ]
+            },
+            "source": {
+                "bytes": 1855,
+                "ip": "10.127.32.11",
+                "locality": "internal",
+                "packets": 5,
+                "port": 53
+            }
+        },
+        {
+            "@timestamp": "2020-04-16T23:22:51Z",
+            "destination": {
+                "ip": "10.36.236.100",
+                "locality": "internal",
+                "port": 49180
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "HVg4SttTufc",
+                "locality": "external"
+            },
+            "netflow": {
+                "destination_ipv4_address": "10.36.236.100",
+                "destination_transport_port": 49180,
+                "egress_interface": 1,
+                "exporter": {
+                    "address": "81.2.69.144:10000",
+                    "source_id": 1,
+                    "timestamp": "2020-04-16T23:22:51Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_milliseconds": "2020-04-16T23:22:48.404Z",
+                "flow_end_reason": 3,
+                "flow_start_milliseconds": "2020-04-16T23:22:47.995Z",
+                "ingress_interface": 1,
+                "octet_delta_count": 7158,
+                "packet_delta_count": 10,
+                "protocol_identifier": 6,
+                "source_ipv4_address": "89.160.20.112",
+                "source_transport_port": 443,
+                "tcp_control_bits": 27,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "bytes": 7158,
+                "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=",
+                "direction": "unknown",
+                "iana_number": 6,
+                "packets": 10,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": "81.2.69.144"
+            },
+            "related": {
+                "ip": [
+                    "10.36.236.100",
+                    "89.160.20.112"
+                ]
+            },
+            "source": {
+                "bytes": 7158,
+                "ip": "89.160.20.112",
+                "locality": "external",
+                "packets": 10,
+                "port": 443
+            }
+        },
+        {
+            "@timestamp": "2020-04-16T23:22:51Z",
+            "destination": {
+                "ip": "89.160.20.112",
+                "locality": "external",
+                "port": 443
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "HVg4SttTufc",
+                "locality": "external"
+            },
+            "netflow": {
+                "destination_ipv4_address": "89.160.20.112",
+                "destination_transport_port": 443,
+                "egress_interface": 1,
+                "exporter": {
+                    "address": "81.2.69.144:10000",
+                    "source_id": 1,
+                    "timestamp": "2020-04-16T23:22:51Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_milliseconds": "2020-04-16T23:22:48.404Z",
+                "flow_end_reason": 3,
+                "flow_start_milliseconds": "2020-04-16T23:22:47.92Z",
+                "ingress_interface": 1,
+                "octet_delta_count": 1538,
+                "packet_delta_count": 11,
+                "protocol_identifier": 6,
+                "source_ipv4_address": "10.36.236.100",
+                "source_transport_port": 49180,
+                "tcp_control_bits": 27,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "bytes": 1538,
+                "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=",
+                "direction": "unknown",
+                "iana_number": 6,
+                "packets": 11,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": "81.2.69.144"
+            },
+            "related": {
+                "ip": [
+                    "10.36.236.100",
+                    "89.160.20.112"
+                ]
+            },
+            "source": {
+                "bytes": 1538,
+                "ip": "10.36.236.100",
+                "locality": "internal",
+                "packets": 11,
+                "port": 49180
+            }
+        },
+        {
+            "@timestamp": "2018-04-15T03:30:00Z",
+            "destination": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 135
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "GYmhjYyvaAI",
+                "locality": "internal"
+            },
+            "netflow": {
+                "bgp_destination_as_number": 0,
+                "bgp_source_as_number": 0,
+                "destination_ipv4_address": "0.0.0.0",
+                "destination_ipv6_address": "2a02:cf40::2",
+                "destination_transport_port": 135,
+                "exporter": {
+                    "address": "81.2.69.144:4444",
+                    "source_id": 2875616939,
+                    "timestamp": "2018-04-15T03:30:00Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_seconds": "2018-04-15T03:29:02Z",
+                "flow_start_seconds": "2018-04-15T03:28:44Z",
+                "procera_base_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_content_categories": "",
+                "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED",
+                "procera_http_content_type": "",
+                "procera_http_file_length": 0,
+                "procera_http_location": "",
+                "procera_http_url": "",
+                "procera_incoming_octets": 86,
+                "procera_outgoing_octets": 78,
+                "procera_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_subscriber_identifier": "",
+                "procera_template_name": "IPFIX",
+                "protocol_identifier": 58,
+                "source_ipv4_address": "0.0.0.0",
+                "source_ipv6_address": "2a02:cf40::1",
+                "source_transport_port": 136,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=",
+                "direction": "unknown",
+                "iana_number": 58,
+                "transport": "ipv6-icmp"
+            },
+            "observer": {
+                "ip": "81.2.69.144"
+            },
+            "related": {
+                "ip": [
+                    "0.0.0.0"
+                ]
+            },
+            "source": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 136
+            }
+        },
+        {
+            "@timestamp": "2018-04-15T03:30:00Z",
+            "destination": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 135
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "GYmhjYyvaAI",
+                "locality": "internal"
+            },
+            "netflow": {
+                "bgp_destination_as_number": 0,
+                "bgp_source_as_number": 0,
+                "destination_ipv6_address": "2a02:cf40::2",
+                "destination_transport_port": 135,
+                "exporter": {
+                    "address": "81.2.69.144:4444",
+                    "source_id": 2875616939,
+                    "timestamp": "2018-04-15T03:30:00Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_seconds": "2018-04-15T03:29:02Z",
+                "flow_start_seconds": "2018-04-15T03:28:44Z",
+                "procera_base_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_content_categories": "",
+                "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED",
+                "procera_http_content_type": "",
+                "procera_http_file_length": 0,
+                "procera_http_location": "",
+                "procera_http_url": "",
+                "procera_incoming_octets": 86,
+                "procera_outgoing_octets": 78,
+                "procera_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_subscriber_identifier": "",
+                "procera_template_name": "IPFIX",
+                "protocol_identifier": 58,
+                "source_ipv6_address": "2a02:cf40::1",
+                "source_transport_port": 136,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=",
+                "direction": "unknown",
+                "iana_number": 58,
+                "transport": "ipv6-icmp"
+            },
+            "observer": {
+                "ip": "81.2.69.144"
+            },
+            "related": {
+                "ip": [
+                    "0.0.0.0"
+                ]
+            },
+            "source": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 136
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
new file mode 100644
index 00000000000..8b3f75a1aec
--- /dev/null
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
@@ -0,0 +1,3587 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 719,
+                "packets": 5
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184158,
+                "flow_start_sys_up_time": 564184140,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 719,
+                "initiator_packets": 5,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 49,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 719,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 5,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 719,
+                "packets": 5
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1477,
+                "packets": 6
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184154,
+                "flow_start_sys_up_time": 564184140,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1477,
+                "initiator_packets": 6,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 49,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 1477,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 6,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 1477,
+                "packets": 6
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1,
+                "packets": 1
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    8
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 1,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 89,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184144,
+                "flow_start_sys_up_time": 564184142,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1,
+                "initiator_packets": 1,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 1,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 1,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 2,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "source": {
+                "bytes": 1,
+                "packets": 1
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 108580,
+                "packets": 79
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 2,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184216,
+                "flow_start_sys_up_time": 564184131,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 108580,
+                "initiator_packets": 79,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 49,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 108580,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 79,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 108580,
+                "packets": 79
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 342,
+                "packets": 5
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184208,
+                "flow_start_sys_up_time": 564184176,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 342,
+                "initiator_packets": 5,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 49,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 342,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 5,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 342,
+                "packets": 5
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1851,
+                "packets": 17
+            },
+            "destination": {
+                "bytes": 9437,
+                "packets": 18
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 2,
+                "art_count_late_responses": 0,
+                "art_count_responses": 3,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 2,
+                "art_network_time_sum": 97,
+                "art_response_time_sum": 153,
+                "art_server_network_time_sum": 95,
+                "art_server_response_time_maximum": 8,
+                "art_server_response_time_sum": 13,
+                "art_total_response_time_sum": 156,
+                "art_total_transaction_time_sum": 100,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 24,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564197394,
+                "flow_start_sys_up_time": 564184067,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1851,
+                "initiator_packets": 17,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 2,
+                "protocol_identifier": 6,
+                "responder_octets": 9437,
+                "responder_packets": 18,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 11288,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 35,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 9437,
+                "packets": 18
+            },
+            "source": {
+                "bytes": 1851,
+                "packets": 17
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 51480,
+                "packets": 39
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184216,
+                "flow_start_sys_up_time": 564184182,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 51480,
+                "initiator_packets": 39,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 49,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 51480,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 39,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 51480,
+                "packets": 39
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 5135,
+                "packets": 55
+            },
+            "destination": {
+                "bytes": 36894,
+                "packets": 47
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 10,
+                "art_count_late_responses": 0,
+                "art_count_responses": 15,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 14,
+                "art_network_time_sum": 374,
+                "art_response_time_sum": 516,
+                "art_server_network_time_sum": 364,
+                "art_server_response_time_maximum": 27,
+                "art_server_response_time_sum": 117,
+                "art_total_response_time_sum": 541,
+                "art_total_transaction_time_sum": 512,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 35,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564203810,
+                "flow_start_sys_up_time": 564184040,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 5135,
+                "initiator_packets": 55,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 126,
+                "new_connection_delta_count": 6,
+                "protocol_identifier": 6,
+                "responder_octets": 36894,
+                "responder_packets": 47,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 42029,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 102,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 36894,
+                "packets": 47
+            },
+            "source": {
+                "bytes": 5135,
+                "packets": 55
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 6533,
+                "packets": 14
+            },
+            "destination": {
+                "bytes": 6400,
+                "packets": 20
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "art_client_network_time_sum": 5,
+                "art_count_late_responses": 0,
+                "art_count_responses": 6,
+                "art_count_retransmissions": 1,
+                "art_count_transactions": 6,
+                "art_network_time_sum": 23,
+                "art_response_time_sum": 123,
+                "art_server_network_time_sum": 18,
+                "art_server_response_time_maximum": 31,
+                "art_server_response_time_sum": 78,
+                "art_total_response_time_sum": 138,
+                "art_total_transaction_time_sum": 123,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 64,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564200378,
+                "flow_start_sys_up_time": 564184163,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 6400,
+                "initiator_packets": 20,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 2,
+                "protocol_identifier": 6,
+                "responder_octets": 6533,
+                "responder_packets": 14,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 12933,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 34,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 6400,
+                "packets": 20
+            },
+            "source": {
+                "bytes": 6533,
+                "packets": 14
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 5684,
+                "packets": 491
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    0,
+                    49
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 109,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564185840,
+                "flow_start_sys_up_time": 564184196,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 5684,
+                "initiator_packets": 491,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 5684,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 491,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 5684,
+                "packets": 491
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 4965,
+                "packets": 13
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184254,
+                "flow_start_sys_up_time": 564184154,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 4965,
+                "initiator_packets": 13,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 4965,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 13,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 4965,
+                "packets": 13
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 138,
+                "packets": 4
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 2,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 119878,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 239,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184362,
+                "flow_start_sys_up_time": 564184214,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 0,
+                "initiator_packets": 2,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 138,
+                "responder_packets": 4,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 138,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 6,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "source": {
+                "bytes": 138,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1,
+                "packets": 1
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    8
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 1,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 44,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184220,
+                "flow_start_sys_up_time": 564184220,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1,
+                "initiator_packets": 1,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 1,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 1,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 1,
+                "packets": 1
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 6079,
+                "packets": 10
+            },
+            "destination": {
+                "bytes": 1571,
+                "packets": 13
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 3,
+                "art_count_late_responses": 0,
+                "art_count_responses": 3,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 2,
+                "art_network_time_sum": 149,
+                "art_response_time_sum": 444,
+                "art_server_network_time_sum": 146,
+                "art_server_response_time_maximum": 3,
+                "art_server_response_time_sum": 6,
+                "art_total_response_time_sum": 453,
+                "art_total_transaction_time_sum": 296,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 62,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564215068,
+                "flow_start_sys_up_time": 564184067,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1571,
+                "initiator_packets": 13,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 220,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 6079,
+                "responder_packets": 10,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 7650,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 23,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 1571,
+                "packets": 13
+            },
+            "source": {
+                "bytes": 6079,
+                "packets": 10
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 2807,
+                "packets": 6
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184252,
+                "flow_start_sys_up_time": 564183878,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 2807,
+                "initiator_packets": 6,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 2807,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 6,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 2807,
+                "packets": 6
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    0,
+                    1
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 59,
+                "egress_interface": 4,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184248,
+                "flow_start_sys_up_time": 564184248,
+                "ingress_interface": 1,
+                "ingress_vrfid": 0,
+                "initiator_octets": 0,
+                "initiator_packets": 1,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 124,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 0,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 1,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 0,
+                "packets": 1
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1877,
+                "packets": 11
+            },
+            "destination": {
+                "bytes": 3409,
+                "packets": 7
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 2,
+                "art_count_late_responses": 0,
+                "art_count_responses": 4,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 4,
+                "art_network_time_sum": 6,
+                "art_response_time_sum": 23,
+                "art_server_network_time_sum": 4,
+                "art_server_response_time_maximum": 3,
+                "art_server_response_time_sum": 7,
+                "art_total_response_time_sum": 31,
+                "art_total_transaction_time_sum": 23,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 32,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564200378,
+                "flow_start_sys_up_time": 564184251,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1877,
+                "initiator_packets": 11,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 3409,
+                "responder_packets": 7,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 5286,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 18,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 3409,
+                "packets": 7
+            },
+            "source": {
+                "bytes": 1877,
+                "packets": 11
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 2255,
+                "packets": 7
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184286,
+                "flow_start_sys_up_time": 564184040,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 2255,
+                "initiator_packets": 7,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 2255,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 7,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 2255,
+                "packets": 7
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 538,
+                "packets": 5
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.938Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184314,
+                "flow_start_sys_up_time": 564184284,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 538,
+                "initiator_packets": 5,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 49,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 0,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 538,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 5,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 0
+            },
+            "source": {
+                "bytes": 538,
+                "packets": 5
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1487,
+                "packets": 21
+            },
+            "destination": {
+                "bytes": 6305,
+                "packets": 15
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    102
+                ],
+                "art_client_network_time_sum": 2,
+                "art_count_late_responses": 0,
+                "art_count_responses": 5,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 5,
+                "art_network_time_sum": 9,
+                "art_response_time_sum": 72,
+                "art_server_network_time_sum": 7,
+                "art_server_response_time_maximum": 25,
+                "art_server_response_time_sum": 55,
+                "art_total_response_time_sum": 77,
+                "art_total_transaction_time_sum": 59870,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 181,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564214304,
+                "flow_start_sys_up_time": 564184296,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1487,
+                "initiator_packets": 21,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 2,
+                "protocol_identifier": 6,
+                "responder_octets": 6305,
+                "responder_packets": 15,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 7792,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 36,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 6305,
+                "packets": 15
+            },
+            "source": {
+                "bytes": 1487,
+                "packets": 21
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 3110,
+                "packets": 7
+            },
+            "destination": {
+                "bytes": 1973,
+                "packets": 10
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "art_client_network_time_sum": 2,
+                "art_count_late_responses": 0,
+                "art_count_responses": 3,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 3,
+                "art_network_time_sum": 12,
+                "art_response_time_sum": 39,
+                "art_server_network_time_sum": 10,
+                "art_server_response_time_maximum": 14,
+                "art_server_response_time_sum": 15,
+                "art_total_response_time_sum": 45,
+                "art_total_transaction_time_sum": 39,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 32,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564200376,
+                "flow_start_sys_up_time": 564184268,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1973,
+                "initiator_packets": 10,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 3110,
+                "responder_packets": 7,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 5083,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 17,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 1973,
+                "packets": 10
+            },
+            "source": {
+                "bytes": 3110,
+                "packets": 7
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 2,
+                "packets": 4
+            },
+            "destination": {
+                "bytes": 2,
+                "packets": 4
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    5,
+                    153
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 2,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 119,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564214242,
+                "flow_start_sys_up_time": 564184300,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 2,
+                "initiator_packets": 4,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 124,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 2,
+                "responder_packets": 4,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 4,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 8,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 2,
+                "packets": 4
+            },
+            "source": {
+                "bytes": 2,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 2,
+                "packets": 2
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    0,
+                    80
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 2,
+                "art_count_transactions": 0,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 0,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 179,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184580,
+                "flow_start_sys_up_time": 564184306,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 2,
+                "initiator_packets": 2,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 2,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 2,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 4,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "source": {
+                "bytes": 2,
+                "packets": 2
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 0,
+                "packets": 4
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 2,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 18,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 119,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184326,
+                "flow_start_sys_up_time": 564184326,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 0,
+                "initiator_packets": 4,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 0,
+                "responder_packets": 2,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 0,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 6,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "source": {
+                "bytes": 0,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 1005,
+                "packets": 4
+            },
+            "destination": {
+                "bytes": 174,
+                "packets": 3
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    3,
+                    0,
+                    5,
+                    153
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 1,
+                "art_count_retransmissions": 1,
+                "art_count_transactions": 1,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 5,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 5,
+                "art_server_response_time_sum": 5,
+                "art_total_response_time_sum": 8,
+                "art_total_transaction_time_sum": 12,
+                "biflow_direction": 1,
+                "connection_sum_duration_seconds": 119,
+                "egress_interface": 10,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564214476,
+                "flow_start_sys_up_time": 564184326,
+                "ingress_interface": 13,
+                "ingress_vrfid": 0,
+                "initiator_octets": 1005,
+                "initiator_packets": 4,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 125,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 174,
+                "responder_packets": 3,
+                "type": "netflow_flow",
+                "vlan_id": 290,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 1179,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 7,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 174,
+                "packets": 3
+            },
+            "source": {
+                "bytes": 1005,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 138,
+                "packets": 4
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 2,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 119644,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 238,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184490,
+                "flow_start_sys_up_time": 564184336,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 0,
+                "initiator_packets": 2,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 138,
+                "responder_packets": 4,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 138,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 6,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 2
+            },
+            "source": {
+                "bytes": 138,
+                "packets": 4
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 31,
+                "packets": 2
+            },
+            "destination": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 0,
+                "art_count_late_responses": 0,
+                "art_count_responses": 0,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 1,
+                "art_network_time_sum": 0,
+                "art_response_time_sum": 0,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 0,
+                "art_server_response_time_sum": 0,
+                "art_total_response_time_sum": 0,
+                "art_total_transaction_time_sum": 59790,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 119,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184350,
+                "flow_start_sys_up_time": 564184348,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 0,
+                "initiator_packets": 1,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 43,
+                "new_connection_delta_count": 0,
+                "protocol_identifier": 6,
+                "responder_octets": 31,
+                "responder_packets": 2,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 31,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 3,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 0,
+                "packets": 1
+            },
+            "source": {
+                "bytes": 31,
+                "packets": 2
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 13482,
+                "packets": 17
+            },
+            "destination": {
+                "bytes": 8989,
+                "packets": 19
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    1,
+                    197
+                ],
+                "art_client_network_time_sum": 3,
+                "art_count_late_responses": 0,
+                "art_count_responses": 6,
+                "art_count_retransmissions": 0,
+                "art_count_transactions": 6,
+                "art_network_time_sum": 3,
+                "art_response_time_sum": 33,
+                "art_server_network_time_sum": 0,
+                "art_server_response_time_maximum": 28,
+                "art_server_response_time_sum": 33,
+                "art_total_response_time_sum": 51,
+                "art_total_transaction_time_sum": 43,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 0,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564184586,
+                "flow_start_sys_up_time": 564184356,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 8989,
+                "initiator_packets": 19,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 124,
+                "new_connection_delta_count": 1,
+                "protocol_identifier": 6,
+                "responder_octets": 13482,
+                "responder_packets": 17,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 22471,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 36,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 8989,
+                "packets": 19
+            },
+            "source": {
+                "bytes": 13482,
+                "packets": 17
+            }
+        },
+        {
+            "@timestamp": "2018-07-03T10:47:00.000Z",
+            "agent": {
+                "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
+                "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
+                "name": "mbp.local",
+                "type": "filebeat",
+                "version": "8.0.0"
+            },
+            "client": {
+                "bytes": 28373,
+                "packets": 133
+            },
+            "destination": {
+                "bytes": 233345,
+                "packets": 236
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network",
+                    "session"
+                ],
+                "created": "2021-05-19T09:08:51.939Z",
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "Vhs9T5k296w",
+                "locality": "internal"
+            },
+            "host": {
+                "name": "mbp.local"
+            },
+            "input": {
+                "type": "netflow"
+            },
+            "netflow": {
+                "application_id": [
+                    13,
+                    0,
+                    2,
+                    99
+                ],
+                "art_client_network_time_sum": 20,
+                "art_count_late_responses": 0,
+                "art_count_responses": 25,
+                "art_count_retransmissions": 4,
+                "art_count_transactions": 25,
+                "art_network_time_sum": 58,
+                "art_response_time_sum": 301,
+                "art_server_network_time_sum": 38,
+                "art_server_response_time_maximum": 31,
+                "art_server_response_time_sum": 168,
+                "art_total_response_time_sum": 363,
+                "art_total_transaction_time_sum": 332,
+                "biflow_direction": 2,
+                "connection_sum_duration_seconds": 116,
+                "egress_interface": 13,
+                "exporter": {
+                    "address": "127.0.0.1:62809",
+                    "source_id": 512,
+                    "timestamp": "2018-07-03T10:47:00.000Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_sys_up_time": 564215336,
+                "flow_start_sys_up_time": 564184380,
+                "ingress_interface": 10,
+                "ingress_vrfid": 0,
+                "initiator_octets": 233345,
+                "initiator_packets": 236,
+                "ip_diff_serv_code_point": 0,
+                "ip_ttl": 61,
+                "new_connection_delta_count": 8,
+                "protocol_identifier": 6,
+                "responder_octets": 28373,
+                "responder_packets": 133,
+                "type": "netflow_flow",
+                "vlan_id": 0,
+                "waasoptimization_segment": 16
+            },
+            "network": {
+                "bytes": 261718,
+                "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+                "direction": "unknown",
+                "iana_number": "6",
+                "packets": 369,
+                "transport": "tcp"
+            },
+            "observer": {
+                "ip": [
+                    "127.0.0.1"
+                ]
+            },
+            "server": {
+                "bytes": 233345,
+                "packets": 236
+            },
+            "source": {
+                "bytes": 28373,
+                "packets": 133
+            }
+        },
+        {
+            "@timestamp": "2020-04-16T23:22:51Z",
+            "destination": {
+                "ip": "10.36.236.100",
+                "locality": "internal",
+                "port": 54594
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "6mUV1nPVG80",
+                "locality": "internal"
+            },
+            "netflow": {
+                "destination_ipv4_address": "10.36.236.100",
+                "destination_transport_port": 54594,
+                "egress_interface": 1,
+                "exporter": {
+                    "address": "81.2.69.144:10000",
+                    "source_id": 1,
+                    "timestamp": "2020-04-16T23:22:51Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_milliseconds": "2020-04-16T23:22:48.963Z",
+                "flow_end_reason": 3,
+                "flow_start_milliseconds": "2020-04-16T23:22:48.96Z",
+                "ingress_interface": 1,
+                "octet_delta_count": 1855,
+                "packet_delta_count": 5,
+                "protocol_identifier": 6,
+                "source_ipv4_address": "10.127.32.11",
+                "source_transport_port": 53,
+                "tcp_control_bits": 27,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "bytes": 1855,
+                "community_id": "1:+/kh1SKruHHnZ5JGSMfWk9nZx8o=",
+                "direction": "internal",
+                "iana_number": "6",
+                "packets": 5,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "observer": {
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "10.36.236.100",
+                    "10.127.32.11"
+                ]
+            },
+            "source": {
+                "bytes": 1855,
+                "ip": "10.127.32.11",
+                "locality": "internal",
+                "packets": 5,
+                "port": 53
+            }
+        },
+        {
+            "@timestamp": "2020-04-16T23:22:51Z",
+            "destination": {
+                "ip": "10.36.236.100",
+                "locality": "internal",
+                "port": 49180
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "HVg4SttTufc",
+                "locality": "external"
+            },
+            "netflow": {
+                "destination_ipv4_address": "10.36.236.100",
+                "destination_transport_port": 49180,
+                "egress_interface": 1,
+                "exporter": {
+                    "address": "81.2.69.144:10000",
+                    "source_id": 1,
+                    "timestamp": "2020-04-16T23:22:51Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_milliseconds": "2020-04-16T23:22:48.404Z",
+                "flow_end_reason": 3,
+                "flow_start_milliseconds": "2020-04-16T23:22:47.995Z",
+                "ingress_interface": 1,
+                "octet_delta_count": 7158,
+                "packet_delta_count": 10,
+                "protocol_identifier": 6,
+                "source_ipv4_address": "89.160.20.112",
+                "source_transport_port": 443,
+                "tcp_control_bits": 27,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "bytes": 7158,
+                "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=",
+                "direction": "inbound",
+                "iana_number": "6",
+                "packets": 10,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "observer": {
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "10.36.236.100",
+                    "89.160.20.112"
+                ]
+            },
+            "source": {
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "bytes": 7158,
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112",
+                "locality": "external",
+                "packets": 10,
+                "port": 443
+            }
+        },
+        {
+            "@timestamp": "2020-04-16T23:22:51Z",
+            "destination": {
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.112",
+                "locality": "external",
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "HVg4SttTufc",
+                "locality": "external"
+            },
+            "netflow": {
+                "destination_ipv4_address": "89.160.20.112",
+                "destination_transport_port": 443,
+                "egress_interface": 1,
+                "exporter": {
+                    "address": "81.2.69.144:10000",
+                    "source_id": 1,
+                    "timestamp": "2020-04-16T23:22:51Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_milliseconds": "2020-04-16T23:22:48.404Z",
+                "flow_end_reason": 3,
+                "flow_start_milliseconds": "2020-04-16T23:22:47.92Z",
+                "ingress_interface": 1,
+                "octet_delta_count": 1538,
+                "packet_delta_count": 11,
+                "protocol_identifier": 6,
+                "source_ipv4_address": "10.36.236.100",
+                "source_transport_port": 49180,
+                "tcp_control_bits": 27,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "bytes": 1538,
+                "community_id": "1:Zyly7BCJ6D7luuRJJazRxZ/mFZM=",
+                "direction": "outbound",
+                "iana_number": "6",
+                "packets": 11,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "observer": {
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "10.36.236.100",
+                    "89.160.20.112"
+                ]
+            },
+            "source": {
+                "bytes": 1538,
+                "ip": "10.36.236.100",
+                "locality": "internal",
+                "packets": 11,
+                "port": 49180
+            }
+        },
+        {
+            "@timestamp": "2018-04-15T03:30:00Z",
+            "destination": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 135
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "GYmhjYyvaAI",
+                "locality": "internal"
+            },
+            "netflow": {
+                "bgp_destination_as_number": 0,
+                "bgp_source_as_number": 0,
+                "destination_ipv4_address": "0.0.0.0",
+                "destination_ipv6_address": "2a02:cf40::2",
+                "destination_transport_port": 135,
+                "exporter": {
+                    "address": "81.2.69.144:4444",
+                    "source_id": 2875616939,
+                    "timestamp": "2018-04-15T03:30:00Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_seconds": "2018-04-15T03:29:02Z",
+                "flow_start_seconds": "2018-04-15T03:28:44Z",
+                "procera_base_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_content_categories": "",
+                "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED",
+                "procera_http_content_type": "",
+                "procera_http_file_length": 0,
+                "procera_http_location": "",
+                "procera_http_url": "",
+                "procera_incoming_octets": 86,
+                "procera_outgoing_octets": 78,
+                "procera_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_subscriber_identifier": "",
+                "procera_template_name": "IPFIX",
+                "protocol_identifier": 58,
+                "source_ipv4_address": "0.0.0.0",
+                "source_ipv6_address": "2a02:cf40::1",
+                "source_transport_port": 136,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=",
+                "direction": "internal",
+                "iana_number": "58",
+                "transport": "ipv6-icmp",
+                "type": [
+                    "ipv4",
+                    "ipv6"
+                ]
+            },
+            "observer": {
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "0.0.0.0"
+                ]
+            },
+            "source": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 136
+            }
+        },
+        {
+            "@timestamp": "2018-04-15T03:30:00Z",
+            "destination": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 135
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "netflow_flow",
+                "category": [
+                    "network"
+                ],
+                "kind": "event",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "id": "GYmhjYyvaAI",
+                "locality": "internal"
+            },
+            "netflow": {
+                "bgp_destination_as_number": 0,
+                "bgp_source_as_number": 0,
+                "destination_ipv6_address": "2a02:cf40::2",
+                "destination_transport_port": 135,
+                "exporter": {
+                    "address": "81.2.69.144:4444",
+                    "source_id": 2875616939,
+                    "timestamp": "2018-04-15T03:30:00Z",
+                    "uptime_millis": 0,
+                    "version": 10
+                },
+                "flow_end_seconds": "2018-04-15T03:29:02Z",
+                "flow_start_seconds": "2018-04-15T03:28:44Z",
+                "procera_base_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_content_categories": "",
+                "procera_flow_behavior": "INITIAL,SERVER_IS_LOCAL,BEGINNING,ESTABLISHED",
+                "procera_http_content_type": "",
+                "procera_http_file_length": 0,
+                "procera_http_location": "",
+                "procera_http_url": "",
+                "procera_incoming_octets": 86,
+                "procera_outgoing_octets": 78,
+                "procera_service": "IP protocol 58 (IPv6-ICMP)",
+                "procera_subscriber_identifier": "",
+                "procera_template_name": "IPFIX",
+                "protocol_identifier": 58,
+                "source_ipv6_address": "2a02:cf40::1",
+                "source_transport_port": 136,
+                "type": "netflow_flow"
+            },
+            "network": {
+                "community_id": "1:vK+Zeop1Y3GHxfFGVF2/COcNBWw=",
+                "direction": "internal",
+                "iana_number": "58",
+                "transport": "ipv6-icmp",
+                "type": "ipv6"
+            },
+            "observer": {
+                "ip": [
+                    "81.2.69.144"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "0.0.0.0"
+                ]
+            },
+            "source": {
+                "ip": "0.0.0.0",
+                "locality": "internal",
+                "port": 136
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
new file mode 100644
index 00000000000..d55e2268d3c
--- /dev/null
+++ b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
@@ -0,0 +1,9 @@
+service: netflow-log-netflow
+service_notify_signal: SIGHUP
+input: netflow
+data_stream:
+  vars:
+    host: 0.0.0.0
+    port: 2055
+numeric_keyword_fields:
+  - network.iana_number
diff --git a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
new file mode 100644
index 00000000000..c2d192f3c75
--- /dev/null
+++ b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
@@ -0,0 +1,37 @@
+protocols: [v1, v5, v6, v7, v8, v9, ipfix]
+host: '{{host}}:{{port}}'
+max_message_size: '{{max_message_size}}'
+expiration_timeout: '{{expiration_timeout}}'
+queue_size: {{queue_size}}
+{{#if timeout}}
+timeout: '{{timeout}}'
+{{/if}}
+{{#if read_buffer}}
+read_buffer: '{{read_buffer}}'
+{{/if}}
+{{#if internal_networks}}
+internal_networks:
+{{#each internal_networks as |network|}}
+  - {{network}}
+{{/each}}
+{{/if}}
+{{#if custom_definitions}}
+custom_definitions:
+{{#each custom_definitions as |def|}}
+- '{{def}}'
+{{/each}}
+{{/if}}
+{{#if detect_sequence_reset}}
+detect_sequence_reset: {{detect_sequence_reset}}
+{{/if}}
+tags:
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..2dd1531816f
--- /dev/null
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,115 @@
+---
+description: Pipeline for NetFlow
+
+processors:
+  - set:
+      field: ecs.version
+      value: '8.11.0'
+  - convert:
+      field: network.iana_number
+      type: string
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: observer.ip
+      target_field: _tmp_.observer.ip
+      ignore_missing: true
+  - append:
+      field: observer.ip
+      value: '{{_tmp_.observer.ip}}'
+      if: ctx._tmp_?.observer?.ip != null
+  - set:
+      field: event.category
+      value:
+        - network
+        - session
+      if: ctx.event?.category != null && ctx.event?.category == "network_session"
+  - set: 
+      field: network.type
+      value: ipv4
+      if: ctx.netflow?.source_ipv4_address != null || ctx.netflow?.destination_ipv4_address != null
+  - set: 
+      field: network.type
+      value: ipv6
+      if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == null
+  - append: 
+      field: network.type
+      value: ipv6
+      if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == "ipv4"
+  - set:
+      field: network.direction
+      value: inbound
+      if: ctx.source?.locality == "external" && ctx.destination?.locality == "internal"
+  - set:
+      field: network.direction
+      value: outbound
+      if: ctx.source?.locality == "internal" && ctx.destination?.locality == "external"
+  - set:
+      field: network.direction
+      value: internal
+      if: ctx.source?.locality == "internal" && ctx.destination?.locality == "internal"
+  - set:
+      field: network.direction
+      value: external
+      if: ctx.source?.locality == "external" && ctx.destination?.locality == "external"
+  - set:
+      field: network.direction
+      value: unknown
+      if: ctx.network?.direction == null
+
+  # IP Geolocation Lookup
+  - geoip:
+      if: ctx.source?.geo == null
+      field: source.ip
+      target_field: source.geo
+      ignore_missing: true
+  - geoip:
+      if: ctx.destination?.geo == null
+      field: destination.ip
+      target_field: destination.geo
+      ignore_missing: true 
+
+  # IP Autonomous System (AS) Lookup
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+          - asn
+          - organization_name
+      ignore_missing: true
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: destination.ip
+      target_field: destination.as
+      properties:
+          - asn
+          - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+  - rename:
+      field: destination.as.asn
+      target_field: destination.as.number
+      ignore_missing: true
+  - rename:
+      field: destination.as.organization_name
+      target_field: destination.as.organization.name
+      ignore_missing: true
+  - remove:
+      field: 
+        - _tmp_
+      ignore_missing: true
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/endace/data_stream/log/fields/agent.yml b/packages/endace/data_stream/log/fields/agent.yml
new file mode 100644
index 00000000000..58486db7990
--- /dev/null
+++ b/packages/endace/data_stream/log/fields/agent.yml
@@ -0,0 +1,71 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: project.id
+      type: keyword
+      description: Name of the project in Google Cloud.
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: container
+  title: Container
+  group: 2
+  description: 'Container fields are used for meta information about the specific container that is the source of information.
+
+    These fields help correlate data based containers from any runtime.'
+  type: group
+  fields:
+    - name: id
+      external: ecs
+    - name: image.name
+      external: ecs
+    - name: labels
+      external: ecs
+    - name: name
+      external: ecs
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: domain
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: 'Name of the domain of which the host is a member.
+
+        For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.'
+      example: CONTOSO
+      default_field: false
+    - name: os.kernel
+      external: ecs
+    - name: os.platform
+      external: ecs
+    - name: os.version
+      external: ecs
+    - name: type
+      external: ecs
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
diff --git a/packages/endace/data_stream/log/fields/base-fields.yml b/packages/endace/data_stream/log/fields/base-fields.yml
new file mode 100644
index 00000000000..c29343334e3
--- /dev/null
+++ b/packages/endace/data_stream/log/fields/base-fields.yml
@@ -0,0 +1,17 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: netflow
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: endace.log
diff --git a/packages/endace/data_stream/log/fields/ecs.yml b/packages/endace/data_stream/log/fields/ecs.yml
new file mode 100644
index 00000000000..c25e61cef3c
--- /dev/null
+++ b/packages/endace/data_stream/log/fields/ecs.yml
@@ -0,0 +1,712 @@
+- external: ecs
+  name: '@timestamp'
+- external: ecs
+  name: agent.ephemeral_id
+- external: ecs
+  name: agent.id
+- external: ecs
+  name: agent.name
+- external: ecs
+  name: agent.type
+- external: ecs
+  name: agent.version
+- external: ecs
+  name: client.address
+- external: ecs
+  name: client.as.organization.name
+- external: ecs
+  name: client.bytes
+- external: ecs
+  name: client.domain
+- external: ecs
+  name: client.geo.city_name
+- external: ecs
+  name: client.geo.continent_name
+- external: ecs
+  name: client.geo.country_iso_code
+- external: ecs
+  name: client.geo.country_name
+- external: ecs
+  name: client.geo.location
+- external: ecs
+  name: client.geo.name
+- external: ecs
+  name: client.geo.region_iso_code
+- external: ecs
+  name: client.geo.region_name
+- external: ecs
+  name: client.ip
+- external: ecs
+  name: client.mac
+- external: ecs
+  name: client.nat.ip
+- external: ecs
+  name: client.nat.port
+- external: ecs
+  name: client.packets
+- external: ecs
+  name: client.port
+- external: ecs
+  name: client.registered_domain
+- external: ecs
+  name: client.top_level_domain
+- external: ecs
+  name: client.user.domain
+- external: ecs
+  name: client.user.email
+- external: ecs
+  name: client.user.full_name
+- external: ecs
+  name: client.user.group.domain
+- external: ecs
+  name: client.user.group.id
+- external: ecs
+  name: client.user.group.name
+- external: ecs
+  name: client.user.hash
+- external: ecs
+  name: client.user.id
+- external: ecs
+  name: client.user.name
+- external: ecs
+  name: cloud.account.id
+- external: ecs
+  name: cloud.availability_zone
+- external: ecs
+  name: cloud.instance.id
+- external: ecs
+  name: cloud.instance.name
+- external: ecs
+  name: cloud.machine.type
+- external: ecs
+  name: cloud.provider
+- external: ecs
+  name: cloud.region
+- external: ecs
+  name: container.image.tag
+- external: ecs
+  name: container.runtime
+- external: ecs
+  name: destination.address
+- external: ecs
+  name: destination.as.number
+- external: ecs
+  name: destination.as.organization.name
+- external: ecs
+  name: destination.bytes
+- external: ecs
+  name: destination.domain
+- external: ecs
+  name: destination.geo.city_name
+- external: ecs
+  name: destination.geo.continent_name
+- external: ecs
+  name: destination.geo.country_iso_code
+- external: ecs
+  name: destination.geo.country_name
+- external: ecs
+  name: destination.geo.location
+- external: ecs
+  name: destination.geo.name
+- external: ecs
+  name: destination.geo.region_iso_code
+- external: ecs
+  name: destination.geo.region_name
+- external: ecs
+  name: destination.ip
+- external: ecs
+  name: destination.mac
+- external: ecs
+  name: destination.nat.ip
+- external: ecs
+  name: destination.nat.port
+- external: ecs
+  name: destination.packets
+- external: ecs
+  name: destination.port
+- external: ecs
+  name: destination.registered_domain
+- external: ecs
+  name: destination.top_level_domain
+- external: ecs
+  name: destination.user.domain
+- external: ecs
+  name: destination.user.email
+- external: ecs
+  name: destination.user.full_name
+- external: ecs
+  name: destination.user.group.domain
+- external: ecs
+  name: destination.user.group.id
+- external: ecs
+  name: destination.user.group.name
+- external: ecs
+  name: destination.user.hash
+- external: ecs
+  name: destination.user.id
+- external: ecs
+  name: destination.user.name
+- external: ecs
+  name: dns.answers
+  type: group
+- external: ecs
+  name: dns.answers.class
+- external: ecs
+  name: dns.answers.data
+- external: ecs
+  name: dns.answers.name
+- external: ecs
+  name: dns.answers.ttl
+- external: ecs
+  name: dns.answers.type
+- external: ecs
+  name: dns.header_flags
+- external: ecs
+  name: dns.id
+- external: ecs
+  name: dns.op_code
+- external: ecs
+  name: dns.question.class
+- external: ecs
+  name: dns.question.name
+- external: ecs
+  name: dns.question.registered_domain
+- external: ecs
+  name: dns.question.subdomain
+- external: ecs
+  name: dns.question.top_level_domain
+- external: ecs
+  name: dns.question.type
+- external: ecs
+  name: dns.resolved_ip
+- external: ecs
+  name: dns.response_code
+- external: ecs
+  name: dns.type
+- external: ecs
+  name: ecs.version
+- external: ecs
+  name: error.code
+- external: ecs
+  name: error.id
+- external: ecs
+  name: error.message
+- external: ecs
+  name: error.stack_trace
+- external: ecs
+  name: error.type
+- external: ecs
+  name: event.action
+- external: ecs
+  name: event.category
+- external: ecs
+  name: event.code
+- external: ecs
+  name: event.created
+- external: ecs
+  name: event.duration
+- external: ecs
+  name: event.end
+- external: ecs
+  name: event.hash
+- external: ecs
+  name: event.id
+- external: ecs
+  name: event.ingested
+- external: ecs
+  name: event.kind
+- external: ecs
+  name: event.original
+- external: ecs
+  name: event.outcome
+- external: ecs
+  name: event.provider
+- external: ecs
+  name: event.risk_score
+- external: ecs
+  name: event.risk_score_norm
+- external: ecs
+  name: event.sequence
+- external: ecs
+  name: event.severity
+- external: ecs
+  name: event.start
+- external: ecs
+  name: event.timezone
+- external: ecs
+  name: event.type
+- external: ecs
+  name: file.accessed
+- external: ecs
+  name: file.created
+- external: ecs
+  name: file.ctime
+- external: ecs
+  name: file.device
+- external: ecs
+  name: file.directory
+- external: ecs
+  name: file.extension
+- external: ecs
+  name: file.gid
+- external: ecs
+  name: file.group
+- external: ecs
+  name: file.hash.md5
+- external: ecs
+  name: file.hash.sha1
+- external: ecs
+  name: file.hash.sha256
+- external: ecs
+  name: file.hash.sha512
+- external: ecs
+  name: file.inode
+- external: ecs
+  name: file.mode
+- external: ecs
+  name: file.mtime
+- external: ecs
+  name: file.name
+- external: ecs
+  name: file.owner
+- external: ecs
+  name: file.path
+- external: ecs
+  name: file.size
+- external: ecs
+  name: file.target_path
+- external: ecs
+  name: file.type
+- external: ecs
+  name: file.uid
+- external: ecs
+  name: group.domain
+- external: ecs
+  name: group.id
+- external: ecs
+  name: group.name
+- external: ecs
+  name: host.architecture
+- external: ecs
+  name: host.geo.city_name
+- external: ecs
+  name: host.geo.continent_name
+- external: ecs
+  name: host.geo.country_iso_code
+- external: ecs
+  name: host.geo.country_name
+- external: ecs
+  name: host.geo.location
+- external: ecs
+  name: host.geo.name
+- external: ecs
+  name: host.geo.region_iso_code
+- external: ecs
+  name: host.geo.region_name
+- external: ecs
+  name: host.hostname
+- external: ecs
+  name: host.id
+- external: ecs
+  name: host.ip
+- external: ecs
+  name: host.mac
+- external: ecs
+  name: host.name
+- external: ecs
+  name: host.os.family
+- external: ecs
+  name: host.os.full
+- external: ecs
+  name: host.os.name
+- external: ecs
+  name: host.uptime
+- external: ecs
+  name: http.request.body.bytes
+- external: ecs
+  name: http.request.body.content
+- external: ecs
+  name: http.request.bytes
+- external: ecs
+  name: http.request.method
+- external: ecs
+  name: http.request.referrer
+- external: ecs
+  name: http.response.body.bytes
+- external: ecs
+  name: http.response.body.content
+- external: ecs
+  name: http.response.bytes
+- external: ecs
+  name: http.response.status_code
+- external: ecs
+  name: http.version
+- external: ecs
+  name: labels
+- external: ecs
+  name: log.level
+- external: ecs
+  name: log.logger
+- external: ecs
+  name: log.origin.file.line
+- external: ecs
+  name: log.origin.file.name
+- external: ecs
+  name: log.origin.function
+- external: ecs
+  name: log.syslog
+  type: group
+- external: ecs
+  name: log.syslog.facility.code
+- external: ecs
+  name: log.syslog.facility.name
+- external: ecs
+  name: log.syslog.priority
+- external: ecs
+  name: log.syslog.severity.code
+- external: ecs
+  name: log.syslog.severity.name
+- external: ecs
+  name: message
+- external: ecs
+  name: network.application
+- external: ecs
+  name: network.bytes
+- external: ecs
+  name: network.community_id
+- external: ecs
+  name: network.direction
+- external: ecs
+  name: network.forwarded_ip
+- external: ecs
+  name: network.iana_number
+- external: ecs
+  name: network.name
+- external: ecs
+  name: network.packets
+- external: ecs
+  name: network.protocol
+- external: ecs
+  name: network.transport
+- external: ecs
+  name: network.type
+- external: ecs
+  name: observer.geo.city_name
+- external: ecs
+  name: observer.geo.continent_name
+- external: ecs
+  name: observer.geo.country_iso_code
+- external: ecs
+  name: observer.geo.country_name
+- external: ecs
+  name: observer.geo.location
+- external: ecs
+  name: observer.geo.name
+- external: ecs
+  name: observer.geo.region_iso_code
+- external: ecs
+  name: observer.geo.region_name
+- external: ecs
+  name: observer.hostname
+- external: ecs
+  name: observer.ip
+- external: ecs
+  name: observer.mac
+- external: ecs
+  name: observer.name
+- external: ecs
+  name: observer.os.family
+- external: ecs
+  name: observer.os.full
+- external: ecs
+  name: observer.os.kernel
+- external: ecs
+  name: observer.os.name
+- external: ecs
+  name: observer.os.platform
+- external: ecs
+  name: observer.os.version
+- external: ecs
+  name: observer.product
+- external: ecs
+  name: observer.serial_number
+- external: ecs
+  name: observer.type
+- external: ecs
+  name: observer.vendor
+- external: ecs
+  name: observer.version
+- external: ecs
+  name: organization.id
+- external: ecs
+  name: organization.name
+- external: ecs
+  name: package.architecture
+- external: ecs
+  name: package.checksum
+- external: ecs
+  name: package.description
+- external: ecs
+  name: package.install_scope
+- external: ecs
+  name: package.installed
+- external: ecs
+  name: package.license
+- external: ecs
+  name: package.name
+- external: ecs
+  name: package.path
+- external: ecs
+  name: package.size
+- external: ecs
+  name: package.version
+- external: ecs
+  name: process.args
+- external: ecs
+  name: process.executable
+- external: ecs
+  name: process.hash.md5
+- external: ecs
+  name: process.hash.sha1
+- external: ecs
+  name: process.hash.sha256
+- external: ecs
+  name: process.hash.sha512
+- external: ecs
+  name: process.name
+- external: ecs
+  name: process.pgid
+- external: ecs
+  name: process.pid
+- external: ecs
+  name: process.parent.pid
+- external: ecs
+  name: process.start
+- external: ecs
+  name: process.thread.id
+- external: ecs
+  name: process.thread.name
+- external: ecs
+  name: process.title
+- external: ecs
+  name: process.uptime
+- external: ecs
+  name: process.working_directory
+- external: ecs
+  name: related.ip
+- external: ecs
+  name: server.address
+- external: ecs
+  name: server.as.organization.name
+- external: ecs
+  name: server.bytes
+- external: ecs
+  name: server.domain
+- external: ecs
+  name: server.geo.city_name
+- external: ecs
+  name: server.geo.continent_name
+- external: ecs
+  name: server.geo.country_iso_code
+- external: ecs
+  name: server.geo.country_name
+- external: ecs
+  name: server.geo.location
+- external: ecs
+  name: server.geo.name
+- external: ecs
+  name: server.geo.region_iso_code
+- external: ecs
+  name: server.geo.region_name
+- external: ecs
+  name: server.ip
+- external: ecs
+  name: server.mac
+- external: ecs
+  name: server.nat.ip
+- external: ecs
+  name: server.nat.port
+- external: ecs
+  name: server.packets
+- external: ecs
+  name: server.port
+- external: ecs
+  name: server.registered_domain
+- external: ecs
+  name: server.top_level_domain
+- external: ecs
+  name: server.user.domain
+- external: ecs
+  name: server.user.email
+- external: ecs
+  name: server.user.full_name
+- external: ecs
+  name: server.user.group.domain
+- external: ecs
+  name: server.user.group.id
+- external: ecs
+  name: server.user.group.name
+- external: ecs
+  name: server.user.hash
+- external: ecs
+  name: server.user.id
+- external: ecs
+  name: server.user.name
+- external: ecs
+  name: service.ephemeral_id
+- external: ecs
+  name: service.id
+- external: ecs
+  name: service.name
+- external: ecs
+  name: service.node.name
+- external: ecs
+  name: service.state
+- external: ecs
+  name: service.type
+- external: ecs
+  name: service.version
+- external: ecs
+  name: source.address
+- external: ecs
+  name: source.as.number
+- external: ecs
+  name: source.as.organization.name
+- external: ecs
+  name: source.bytes
+- external: ecs
+  name: source.domain
+- external: ecs
+  name: source.geo.city_name
+- external: ecs
+  name: source.geo.continent_name
+- external: ecs
+  name: source.geo.country_iso_code
+- external: ecs
+  name: source.geo.country_name
+- external: ecs
+  name: source.geo.location
+- external: ecs
+  name: source.geo.name
+- external: ecs
+  name: source.geo.region_iso_code
+- external: ecs
+  name: source.geo.region_name
+- external: ecs
+  name: source.ip
+- external: ecs
+  name: source.mac
+- external: ecs
+  name: source.nat.ip
+- external: ecs
+  name: source.nat.port
+- external: ecs
+  name: source.packets
+- external: ecs
+  name: source.port
+- external: ecs
+  name: source.registered_domain
+- external: ecs
+  name: source.top_level_domain
+- external: ecs
+  name: source.user.domain
+- external: ecs
+  name: source.user.email
+- external: ecs
+  name: source.user.full_name
+- external: ecs
+  name: source.user.group.domain
+- external: ecs
+  name: source.user.group.id
+- external: ecs
+  name: source.user.group.name
+- external: ecs
+  name: source.user.hash
+- external: ecs
+  name: source.user.id
+- external: ecs
+  name: source.user.name
+- external: ecs
+  name: tags
+- external: ecs
+  name: threat.framework
+- external: ecs
+  name: threat.tactic.id
+- external: ecs
+  name: threat.tactic.name
+- external: ecs
+  name: threat.tactic.reference
+- external: ecs
+  name: threat.technique.id
+- external: ecs
+  name: threat.technique.name
+- external: ecs
+  name: threat.technique.reference
+- external: ecs
+  name: trace.id
+- external: ecs
+  name: transaction.id
+- external: ecs
+  name: url.domain
+- external: ecs
+  name: url.extension
+- external: ecs
+  name: url.fragment
+- external: ecs
+  name: url.full
+- external: ecs
+  name: url.original
+- external: ecs
+  name: url.password
+- external: ecs
+  name: url.path
+- external: ecs
+  name: url.port
+- external: ecs
+  name: url.query
+- external: ecs
+  name: url.registered_domain
+- external: ecs
+  name: url.scheme
+- external: ecs
+  name: url.top_level_domain
+- external: ecs
+  name: url.username
+- external: ecs
+  name: user.domain
+- external: ecs
+  name: user.email
+- external: ecs
+  name: user.full_name
+- external: ecs
+  name: user.group.domain
+- external: ecs
+  name: user.group.id
+- external: ecs
+  name: user.group.name
+- external: ecs
+  name: user.hash
+- external: ecs
+  name: user.id
+- external: ecs
+  name: user.name
+- external: ecs
+  name: user_agent.device.name
+- external: ecs
+  name: user_agent.name
+- external: ecs
+  name: user_agent.original
+- external: ecs
+  name: user_agent.os.family
+- external: ecs
+  name: user_agent.os.full
+- external: ecs
+  name: user_agent.os.kernel
+- external: ecs
+  name: user_agent.os.name
+- external: ecs
+  name: user_agent.os.platform
+- external: ecs
+  name: user_agent.os.version
+- external: ecs
+  name: user_agent.version
diff --git a/packages/endace/data_stream/log/fields/package-fields.yml b/packages/endace/data_stream/log/fields/package-fields.yml
new file mode 100644
index 00000000000..1915b6a75d0
--- /dev/null
+++ b/packages/endace/data_stream/log/fields/package-fields.yml
@@ -0,0 +1,2689 @@
+- name: input.type
+  description: Type of Filebeat input.
+  type: keyword
+- name: flow.locality
+  type: keyword
+  description: Identifies whether the flow involved public IP addresses or only private address.
+- name: flow.id
+  type: keyword
+  description: Hash of source and destination IPs.
+- name: destination.locality
+  type: keyword
+  description: Whether the destination IP is private or public.
+- name: source.locality
+  type: keyword
+  description: Whether the source IP is private or public.
+- name: netflow
+  type: group
+  description: >
+    Fields from NetFlow and IPFIX.
+
+  fields:
+    - name: type
+      type: keyword
+      description: >
+        The type of NetFlow record described by this event.
+
+    - name: exporter
+      type: group
+      description: >
+        Metadata related to the exporter device that generated this record.
+
+      fields:
+        - name: address
+          type: keyword
+          description: >
+            Exporter's network address in IP:port format.
+
+        - name: source_id
+          type: long
+          description: >
+            Observation domain ID to which this record belongs.
+
+        - name: timestamp
+          type: date
+          description: >
+            Time and date of export.
+
+        - name: uptime_millis
+          type: long
+          description: >
+            How long the exporter process has been running, in milliseconds.
+
+        - name: version
+          type: integer
+          description: >
+            NetFlow version used.
+
+    - name: absolute_error
+      type: double
+    - name: address_pool_high_threshold
+      type: long
+    - name: address_pool_low_threshold
+      type: long
+    - name: address_port_mapping_high_threshold
+      type: long
+    - name: address_port_mapping_low_threshold
+      type: long
+    - name: address_port_mapping_per_user_high_threshold
+      type: long
+    - name: afc_protocol
+      type: integer
+    - name: afc_protocol_name
+      type: keyword
+    - name: anonymization_flags
+      type: integer
+    - name: anonymization_technique
+      type: integer
+    - name: application_business-relevance
+      type: long
+    - name: application_category_name
+      type: keyword
+    - name: application_description
+      type: keyword
+    - name: application_group_name
+      type: keyword
+    - name: application_http_uri_statistics
+      type: short
+    - name: application_http_user-agent
+      type: short
+    - name: application_id
+      type: short
+    - name: application_name
+      type: keyword
+    - name: application_sub_category_name
+      type: keyword
+    - name: application_traffic-class
+      type: long
+    - name: art_client_network_time_maximum
+      type: long
+    - name: art_client_network_time_minimum
+      type: long
+    - name: art_client_network_time_sum
+      type: long
+    - name: art_clientpackets
+      type: long
+    - name: art_count_late_responses
+      type: long
+    - name: art_count_new_connections
+      type: long
+    - name: art_count_responses
+      type: long
+    - name: art_count_responses_histogram_bucket1
+      type: long
+    - name: art_count_responses_histogram_bucket2
+      type: long
+    - name: art_count_responses_histogram_bucket3
+      type: long
+    - name: art_count_responses_histogram_bucket4
+      type: long
+    - name: art_count_responses_histogram_bucket5
+      type: long
+    - name: art_count_responses_histogram_bucket6
+      type: long
+    - name: art_count_responses_histogram_bucket7
+      type: long
+    - name: art_count_retransmissions
+      type: long
+    - name: art_count_transactions
+      type: long
+    - name: art_network_time_maximum
+      type: long
+    - name: art_network_time_minimum
+      type: long
+    - name: art_network_time_sum
+      type: long
+    - name: art_response_time_maximum
+      type: long
+    - name: art_response_time_minimum
+      type: long
+    - name: art_response_time_sum
+      type: long
+    - name: art_server_network_time_maximum
+      type: long
+    - name: art_server_network_time_minimum
+      type: long
+    - name: art_server_network_time_sum
+      type: long
+    - name: art_server_response_time_maximum
+      type: long
+    - name: art_server_response_time_minimum
+      type: long
+    - name: art_server_response_time_sum
+      type: long
+    - name: art_serverpackets
+      type: long
+    - name: art_total_response_time_maximum
+      type: long
+    - name: art_total_response_time_minimum
+      type: long
+    - name: art_total_response_time_sum
+      type: long
+    - name: art_total_transaction_time_maximum
+      type: long
+    - name: art_total_transaction_time_minimum
+      type: long
+    - name: art_total_transaction_time_sum
+      type: long
+    - name: assembled_fragment_count
+      type: long
+    - name: audit_counter
+      type: long
+    - name: average_interarrival_time
+      type: long
+    - name: bgp_destination_as_number
+      type: long
+    - name: bgp_next_adjacent_as_number
+      type: long
+    - name: bgp_next_hop_ipv4_address
+      type: ip
+    - name: bgp_next_hop_ipv6_address
+      type: ip
+    - name: bgp_prev_adjacent_as_number
+      type: long
+    - name: bgp_source_as_number
+      type: long
+    - name: bgp_validity_state
+      type: short
+    - name: biflow_direction
+      type: short
+    - name: bind_ipv4_address
+      type: ip
+    - name: bind_transport_port
+      type: integer
+    - name: class_id
+      type: long
+    - name: class_name
+      type: keyword
+    - name: classification_engine_id
+      type: short
+    - name: collection_time_milliseconds
+      type: date
+    - name: collector_certificate
+      type: short
+    - name: collector_ipv4_address
+      type: ip
+    - name: collector_ipv6_address
+      type: ip
+    - name: collector_transport_port
+      type: integer
+    - name: common_properties_id
+      type: long
+    - name: confidence_level
+      type: double
+    - name: conn_ipv4_address
+      type: ip
+    - name: conn_transport_port
+      type: integer
+    - name: connection_sum_duration_seconds
+      type: long
+    - name: connection_transaction_id
+      type: long
+    - name: conntrack_id
+      type: long
+    - name: data_byte_count
+      type: long
+    - name: data_link_frame_section
+      type: short
+    - name: data_link_frame_size
+      type: integer
+    - name: data_link_frame_type
+      type: integer
+    - name: data_records_reliability
+      type: boolean
+    - name: delta_flow_count
+      type: long
+    - name: destination_ipv4_address
+      type: ip
+    - name: destination_ipv4_prefix
+      type: ip
+    - name: destination_ipv4_prefix_length
+      type: short
+    - name: destination_ipv6_address
+      type: ip
+    - name: destination_ipv6_prefix
+      type: ip
+    - name: destination_ipv6_prefix_length
+      type: short
+    - name: destination_mac_address
+      type: keyword
+    - name: destination_transport_port
+      type: integer
+    - name: digest_hash_value
+      type: long
+    - name: distinct_count_of_destination_ip_address
+      type: long
+    - name: distinct_count_of_destination_ipv4_address
+      type: long
+    - name: distinct_count_of_destination_ipv6_address
+      type: long
+    - name: distinct_count_of_source_ip_address
+      type: long
+    - name: distinct_count_of_source_ipv4_address
+      type: long
+    - name: distinct_count_of_source_ipv6_address
+      type: long
+    - name: dns_authoritative
+      type: short
+    - name: dns_cname
+      type: keyword
+    - name: dns_id
+      type: integer
+    - name: dns_mx_exchange
+      type: keyword
+    - name: dns_mx_preference
+      type: integer
+    - name: dns_nsd_name
+      type: keyword
+    - name: dns_nx_domain
+      type: short
+    - name: dns_ptrd_name
+      type: keyword
+    - name: dns_qname
+      type: keyword
+    - name: dns_qr_type
+      type: integer
+    - name: dns_query_response
+      type: short
+    - name: dns_rr_section
+      type: short
+    - name: dns_soa_expire
+      type: long
+    - name: dns_soa_minimum
+      type: long
+    - name: dns_soa_refresh
+      type: long
+    - name: dns_soa_retry
+      type: long
+    - name: dns_soa_serial
+      type: long
+    - name: dns_soam_name
+      type: keyword
+    - name: dns_soar_name
+      type: keyword
+    - name: dns_srv_port
+      type: integer
+    - name: dns_srv_priority
+      type: integer
+    - name: dns_srv_target
+      type: integer
+    - name: dns_srv_weight
+      type: integer
+    - name: dns_ttl
+      type: long
+    - name: dns_txt_data
+      type: keyword
+    - name: dot1q_customer_dei
+      type: boolean
+    - name: dot1q_customer_destination_mac_address
+      type: keyword
+    - name: dot1q_customer_priority
+      type: short
+    - name: dot1q_customer_source_mac_address
+      type: keyword
+    - name: dot1q_customer_vlan_id
+      type: integer
+    - name: dot1q_dei
+      type: boolean
+    - name: dot1q_priority
+      type: short
+    - name: dot1q_service_instance_id
+      type: long
+    - name: dot1q_service_instance_priority
+      type: short
+    - name: dot1q_service_instance_tag
+      type: short
+    - name: dot1q_vlan_id
+      type: integer
+    - name: dropped_layer2_octet_delta_count
+      type: long
+    - name: dropped_layer2_octet_total_count
+      type: long
+    - name: dropped_octet_delta_count
+      type: long
+    - name: dropped_octet_total_count
+      type: long
+    - name: dropped_packet_delta_count
+      type: long
+    - name: dropped_packet_total_count
+      type: long
+    - name: dst_traffic_index
+      type: long
+    - name: egress_broadcast_packet_total_count
+      type: long
+    - name: egress_interface
+      type: long
+    - name: egress_interface_type
+      type: long
+    - name: egress_physical_interface
+      type: long
+    - name: egress_unicast_packet_total_count
+      type: long
+    - name: egress_vrfid
+      type: long
+    - name: encrypted_technology
+      type: keyword
+    - name: engine_id
+      type: short
+    - name: engine_type
+      type: short
+    - name: ethernet_header_length
+      type: short
+    - name: ethernet_payload_length
+      type: integer
+    - name: ethernet_total_length
+      type: integer
+    - name: ethernet_type
+      type: integer
+    - name: expired_fragment_count
+      type: long
+    - name: export_interface
+      type: long
+    - name: export_protocol_version
+      type: short
+    - name: export_sctp_stream_id
+      type: integer
+    - name: export_transport_protocol
+      type: short
+    - name: exported_flow_record_total_count
+      type: long
+    - name: exported_message_total_count
+      type: long
+    - name: exported_octet_total_count
+      type: long
+    - name: exporter_certificate
+      type: short
+    - name: exporter_ipv4_address
+      type: ip
+    - name: exporter_ipv6_address
+      type: ip
+    - name: exporter_transport_port
+      type: integer
+    - name: exporting_process_id
+      type: long
+    - name: external_address_realm
+      type: short
+    - name: firewall_event
+      type: short
+    - name: first_eight_non_empty_packet_directions
+      type: short
+    - name: first_non_empty_packet_size
+      type: integer
+    - name: first_packet_banner
+      type: keyword
+    - name: flags_and_sampler_id
+      type: long
+    - name: flow_active_timeout
+      type: integer
+    - name: flow_attributes
+      type: integer
+    - name: flow_direction
+      type: short
+    - name: flow_duration_microseconds
+      type: long
+    - name: flow_duration_milliseconds
+      type: long
+    - name: flow_end_delta_microseconds
+      type: long
+    - name: flow_end_microseconds
+      type: date
+    - name: flow_end_milliseconds
+      type: date
+    - name: flow_end_nanoseconds
+      type: date
+    - name: flow_end_reason
+      type: short
+    - name: flow_end_seconds
+      type: date
+    - name: flow_end_sys_up_time
+      type: long
+    - name: flow_id
+      type: long
+    - name: flow_idle_timeout
+      type: integer
+    - name: flow_key_indicator
+      type: long
+    - name: flow_label_ipv6
+      type: long
+    - name: flow_sampling_time_interval
+      type: long
+    - name: flow_sampling_time_spacing
+      type: long
+    - name: flow_selected_flow_delta_count
+      type: long
+    - name: flow_selected_octet_delta_count
+      type: long
+    - name: flow_selected_packet_delta_count
+      type: long
+    - name: flow_selector_algorithm
+      type: integer
+    - name: flow_start_delta_microseconds
+      type: long
+    - name: flow_start_microseconds
+      type: date
+    - name: flow_start_milliseconds
+      type: date
+    - name: flow_start_nanoseconds
+      type: date
+    - name: flow_start_seconds
+      type: date
+    - name: flow_start_sys_up_time
+      type: long
+    - name: flow_table_flush_event_count
+      type: long
+    - name: flow_table_peak_count
+      type: long
+    - name: forwarding_status
+      type: short
+    - name: fragment_flags
+      type: short
+    - name: fragment_identification
+      type: long
+    - name: fragment_offset
+      type: integer
+    - name: fw_blackout_secs
+      type: long
+    - name: fw_configured_value
+      type: long
+    - name: fw_cts_src_sgt
+      type: long
+    - name: fw_event_level
+      type: long
+    - name: fw_event_level_id
+      type: long
+    - name: fw_ext_event
+      type: integer
+    - name: fw_ext_event_alt
+      type: long
+    - name: fw_ext_event_desc
+      type: keyword
+    - name: fw_half_open_count
+      type: long
+    - name: fw_half_open_high
+      type: long
+    - name: fw_half_open_rate
+      type: long
+    - name: fw_max_sessions
+      type: long
+    - name: fw_rule
+      type: keyword
+    - name: fw_summary_pkt_count
+      type: long
+    - name: fw_zone_pair_id
+      type: long
+    - name: fw_zone_pair_name
+      type: long
+    - name: global_address_mapping_high_threshold
+      type: long
+    - name: gre_key
+      type: long
+    - name: hash_digest_output
+      type: boolean
+    - name: hash_flow_domain
+      type: integer
+    - name: hash_initialiser_value
+      type: long
+    - name: hash_ip_payload_offset
+      type: long
+    - name: hash_ip_payload_size
+      type: long
+    - name: hash_output_range_max
+      type: long
+    - name: hash_output_range_min
+      type: long
+    - name: hash_selected_range_max
+      type: long
+    - name: hash_selected_range_min
+      type: long
+    - name: http_content_type
+      type: keyword
+    - name: http_message_version
+      type: keyword
+    - name: http_reason_phrase
+      type: keyword
+    - name: http_request_host
+      type: keyword
+    - name: http_request_method
+      type: keyword
+    - name: http_request_target
+      type: keyword
+    - name: http_status_code
+      type: integer
+    - name: http_user_agent
+      type: keyword
+    - name: icmp_code_ipv4
+      type: short
+    - name: icmp_code_ipv6
+      type: short
+    - name: icmp_type_code_ipv4
+      type: integer
+    - name: icmp_type_code_ipv6
+      type: integer
+    - name: icmp_type_ipv4
+      type: short
+    - name: icmp_type_ipv6
+      type: short
+    - name: igmp_type
+      type: short
+    - name: ignored_data_record_total_count
+      type: long
+    - name: ignored_layer2_frame_total_count
+      type: long
+    - name: ignored_layer2_octet_total_count
+      type: long
+    - name: ignored_octet_total_count
+      type: long
+    - name: ignored_packet_total_count
+      type: long
+    - name: information_element_data_type
+      type: short
+    - name: information_element_description
+      type: keyword
+    - name: information_element_id
+      type: integer
+    - name: information_element_index
+      type: integer
+    - name: information_element_name
+      type: keyword
+    - name: information_element_range_begin
+      type: long
+    - name: information_element_range_end
+      type: long
+    - name: information_element_semantics
+      type: short
+    - name: information_element_units
+      type: integer
+    - name: ingress_broadcast_packet_total_count
+      type: long
+    - name: ingress_interface
+      type: long
+    - name: ingress_interface_type
+      type: long
+    - name: ingress_multicast_packet_total_count
+      type: long
+    - name: ingress_physical_interface
+      type: long
+    - name: ingress_unicast_packet_total_count
+      type: long
+    - name: ingress_vrfid
+      type: long
+    - name: initial_tcp_flags
+      type: short
+    - name: initiator_octets
+      type: long
+    - name: initiator_packets
+      type: long
+    - name: interface_description
+      type: keyword
+    - name: interface_name
+      type: keyword
+    - name: intermediate_process_id
+      type: long
+    - name: internal_address_realm
+      type: short
+    - name: ip_class_of_service
+      type: short
+    - name: ip_diff_serv_code_point
+      type: short
+    - name: ip_header_length
+      type: short
+    - name: ip_header_packet_section
+      type: short
+    - name: ip_next_hop_ipv4_address
+      type: ip
+    - name: ip_next_hop_ipv6_address
+      type: ip
+    - name: ip_payload_length
+      type: long
+    - name: ip_payload_packet_section
+      type: short
+    - name: ip_precedence
+      type: short
+    - name: ip_sec_spi
+      type: long
+    - name: ip_total_length
+      type: long
+    - name: ip_ttl
+      type: short
+    - name: ip_version
+      type: short
+    - name: ipv4_ihl
+      type: short
+    - name: ipv4_options
+      type: long
+    - name: ipv4_router_sc
+      type: ip
+    - name: ipv6_extension_headers
+      type: long
+    - name: is_multicast
+      type: short
+    - name: ixia_browser_id
+      type: short
+    - name: ixia_browser_name
+      type: keyword
+    - name: ixia_device_id
+      type: short
+    - name: ixia_device_name
+      type: keyword
+    - name: ixia_dns_answer
+      type: keyword
+    - name: ixia_dns_classes
+      type: keyword
+    - name: ixia_dns_query
+      type: keyword
+    - name: ixia_dns_record_txt
+      type: keyword
+    - name: ixia_dst_as_name
+      type: keyword
+    - name: ixia_dst_city_name
+      type: keyword
+    - name: ixia_dst_country_code
+      type: keyword
+    - name: ixia_dst_country_name
+      type: keyword
+    - name: ixia_dst_latitude
+      type: float
+    - name: ixia_dst_longitude
+      type: float
+    - name: ixia_dst_region_code
+      type: keyword
+    - name: ixia_dst_region_node
+      type: keyword
+    - name: ixia_encrypt_cipher
+      type: keyword
+    - name: ixia_encrypt_key_length
+      type: integer
+    - name: ixia_encrypt_type
+      type: keyword
+    - name: ixia_http_host_name
+      type: keyword
+    - name: ixia_http_uri
+      type: keyword
+    - name: ixia_http_user_agent
+      type: keyword
+    - name: ixia_imsi_subscriber
+      type: keyword
+    - name: ixia_l7_app_id
+      type: long
+    - name: ixia_l7_app_name
+      type: keyword
+    - name: ixia_latency
+      type: long
+    - name: ixia_rev_octet_delta_count
+      type: long
+    - name: ixia_rev_packet_delta_count
+      type: long
+    - name: ixia_src_as_name
+      type: keyword
+    - name: ixia_src_city_name
+      type: keyword
+    - name: ixia_src_country_code
+      type: keyword
+    - name: ixia_src_country_name
+      type: keyword
+    - name: ixia_src_latitude
+      type: float
+    - name: ixia_src_longitude
+      type: float
+    - name: ixia_src_region_code
+      type: keyword
+    - name: ixia_src_region_name
+      type: keyword
+    - name: ixia_threat_ipv4
+      type: ip
+    - name: ixia_threat_ipv6
+      type: ip
+    - name: ixia_threat_type
+      type: keyword
+    - name: large_packet_count
+      type: long
+    - name: layer2_frame_delta_count
+      type: long
+    - name: layer2_frame_total_count
+      type: long
+    - name: layer2_octet_delta_count
+      type: long
+    - name: layer2_octet_delta_sum_of_squares
+      type: long
+    - name: layer2_octet_total_count
+      type: long
+    - name: layer2_octet_total_sum_of_squares
+      type: long
+    - name: layer2_segment_id
+      type: long
+    - name: layer2packet_section_data
+      type: short
+    - name: layer2packet_section_offset
+      type: integer
+    - name: layer2packet_section_size
+      type: integer
+    - name: line_card_id
+      type: long
+    - name: log_op
+      type: short
+    - name: lower_ci_limit
+      type: double
+    - name: mark
+      type: long
+    - name: max_bib_entries
+      type: long
+    - name: max_entries_per_user
+      type: long
+    - name: max_export_seconds
+      type: date
+    - name: max_flow_end_microseconds
+      type: date
+    - name: max_flow_end_milliseconds
+      type: date
+    - name: max_flow_end_nanoseconds
+      type: date
+    - name: max_flow_end_seconds
+      type: date
+    - name: max_fragments_pending_reassembly
+      type: long
+    - name: max_packet_size
+      type: integer
+    - name: max_session_entries
+      type: long
+    - name: max_subscribers
+      type: long
+    - name: maximum_ip_total_length
+      type: long
+    - name: maximum_layer2_total_length
+      type: long
+    - name: maximum_ttl
+      type: short
+    - name: mean_flow_rate
+      type: long
+    - name: mean_packet_rate
+      type: long
+    - name: message_md5_checksum
+      type: short
+    - name: message_scope
+      type: short
+    - name: metering_process_id
+      type: long
+    - name: metro_evc_id
+      type: keyword
+    - name: metro_evc_type
+      type: short
+    - name: mib_capture_time_semantics
+      type: short
+    - name: mib_context_engine_id
+      type: short
+    - name: mib_context_name
+      type: keyword
+    - name: mib_index_indicator
+      type: long
+    - name: mib_module_name
+      type: keyword
+    - name: mib_object_description
+      type: keyword
+    - name: mib_object_identifier
+      type: short
+    - name: mib_object_name
+      type: keyword
+    - name: mib_object_syntax
+      type: keyword
+    - name: mib_object_value_bits
+      type: short
+    - name: mib_object_value_counter
+      type: long
+    - name: mib_object_value_gauge
+      type: long
+    - name: mib_object_value_integer
+      type: integer
+    - name: mib_object_value_ip_address
+      type: ip
+    - name: mib_object_value_octet_string
+      type: short
+    - name: mib_object_value_oid
+      type: short
+    - name: mib_object_value_time_ticks
+      type: long
+    - name: mib_object_value_unsigned
+      type: long
+    - name: mib_sub_identifier
+      type: long
+    - name: min_export_seconds
+      type: date
+    - name: min_flow_start_microseconds
+      type: date
+    - name: min_flow_start_milliseconds
+      type: date
+    - name: min_flow_start_nanoseconds
+      type: date
+    - name: min_flow_start_seconds
+      type: date
+    - name: minimum_ip_total_length
+      type: long
+    - name: minimum_layer2_total_length
+      type: long
+    - name: minimum_ttl
+      type: short
+    - name: mobile_imsi
+      type: keyword
+    - name: mobile_msisdn
+      type: keyword
+    - name: monitoring_interval_end_milli_seconds
+      type: date
+    - name: monitoring_interval_start_milli_seconds
+      type: date
+    - name: mpls_label_stack_depth
+      type: long
+    - name: mpls_label_stack_length
+      type: long
+    - name: mpls_label_stack_section
+      type: short
+    - name: mpls_label_stack_section10
+      type: short
+    - name: mpls_label_stack_section2
+      type: short
+    - name: mpls_label_stack_section3
+      type: short
+    - name: mpls_label_stack_section4
+      type: short
+    - name: mpls_label_stack_section5
+      type: short
+    - name: mpls_label_stack_section6
+      type: short
+    - name: mpls_label_stack_section7
+      type: short
+    - name: mpls_label_stack_section8
+      type: short
+    - name: mpls_label_stack_section9
+      type: short
+    - name: mpls_payload_length
+      type: long
+    - name: mpls_payload_packet_section
+      type: short
+    - name: mpls_top_label_exp
+      type: short
+    - name: mpls_top_label_ipv4_address
+      type: ip
+    - name: mpls_top_label_ipv6_address
+      type: ip
+    - name: mpls_top_label_prefix_length
+      type: short
+    - name: mpls_top_label_stack_section
+      type: short
+    - name: mpls_top_label_ttl
+      type: short
+    - name: mpls_top_label_type
+      type: short
+    - name: mpls_vpn_route_distinguisher
+      type: short
+    - name: mptcp_address_id
+      type: short
+    - name: mptcp_flags
+      type: short
+    - name: mptcp_initial_data_sequence_number
+      type: long
+    - name: mptcp_maximum_segment_size
+      type: integer
+    - name: mptcp_receiver_token
+      type: long
+    - name: multicast_replication_factor
+      type: long
+    - name: nat_event
+      type: short
+    - name: nat_inside_svcid
+      type: integer
+    - name: nat_instance_id
+      type: long
+    - name: nat_originating_address_realm
+      type: short
+    - name: nat_outside_svcid
+      type: integer
+    - name: nat_pool_id
+      type: long
+    - name: nat_pool_name
+      type: keyword
+    - name: nat_quota_exceeded_event
+      type: long
+    - name: nat_sub_string
+      type: keyword
+    - name: nat_threshold_event
+      type: long
+    - name: nat_type
+      type: short
+    - name: netscale_ica_client_version
+      type: keyword
+    - name: netscaler_aaa_username
+      type: keyword
+    - name: netscaler_app_name
+      type: keyword
+    - name: netscaler_app_name_app_id
+      type: long
+    - name: netscaler_app_name_incarnation_number
+      type: long
+    - name: netscaler_app_template_name
+      type: keyword
+    - name: netscaler_app_unit_name_app_id
+      type: long
+    - name: netscaler_application_startup_duration
+      type: long
+    - name: netscaler_application_startup_time
+      type: long
+    - name: netscaler_cache_redir_client_connection_core_id
+      type: long
+    - name: netscaler_cache_redir_client_connection_transaction_id
+      type: long
+    - name: netscaler_client_rtt
+      type: long
+    - name: netscaler_connection_chain_hop_count
+      type: long
+    - name: netscaler_connection_chain_id
+      type: short
+    - name: netscaler_connection_id
+      type: long
+    - name: netscaler_current_license_consumed
+      type: long
+    - name: netscaler_db_clt_host_name
+      type: keyword
+    - name: netscaler_db_database_name
+      type: keyword
+    - name: netscaler_db_login_flags
+      type: long
+    - name: netscaler_db_protocol_name
+      type: short
+    - name: netscaler_db_req_string
+      type: keyword
+    - name: netscaler_db_req_type
+      type: short
+    - name: netscaler_db_resp_length
+      type: long
+    - name: netscaler_db_resp_status
+      type: long
+    - name: netscaler_db_resp_status_string
+      type: keyword
+    - name: netscaler_db_user_name
+      type: keyword
+    - name: netscaler_flow_flags
+      type: long
+    - name: netscaler_http_client_interaction_end_time
+      type: keyword
+    - name: netscaler_http_client_interaction_start_time
+      type: keyword
+    - name: netscaler_http_client_render_end_time
+      type: keyword
+    - name: netscaler_http_client_render_start_time
+      type: keyword
+    - name: netscaler_http_content_type
+      type: keyword
+    - name: netscaler_http_domain_name
+      type: keyword
+    - name: netscaler_http_req_authorization
+      type: keyword
+    - name: netscaler_http_req_cookie
+      type: keyword
+    - name: netscaler_http_req_forw_fb
+      type: long
+    - name: netscaler_http_req_forw_lb
+      type: long
+    - name: netscaler_http_req_host
+      type: keyword
+    - name: netscaler_http_req_method
+      type: keyword
+    - name: netscaler_http_req_rcv_fb
+      type: long
+    - name: netscaler_http_req_rcv_lb
+      type: long
+    - name: netscaler_http_req_referer
+      type: keyword
+    - name: netscaler_http_req_url
+      type: keyword
+    - name: netscaler_http_req_user_agent
+      type: keyword
+    - name: netscaler_http_req_via
+      type: keyword
+    - name: netscaler_http_req_xforwarded_for
+      type: keyword
+    - name: netscaler_http_res_forw_fb
+      type: long
+    - name: netscaler_http_res_forw_lb
+      type: long
+    - name: netscaler_http_res_location
+      type: keyword
+    - name: netscaler_http_res_rcv_fb
+      type: long
+    - name: netscaler_http_res_rcv_lb
+      type: long
+    - name: netscaler_http_res_set_cookie
+      type: keyword
+    - name: netscaler_http_res_set_cookie2
+      type: keyword
+    - name: netscaler_http_rsp_len
+      type: long
+    - name: netscaler_http_rsp_status
+      type: integer
+    - name: netscaler_ica_app_module_path
+      type: keyword
+    - name: netscaler_ica_app_process_id
+      type: long
+    - name: netscaler_ica_application_name
+      type: keyword
+    - name: netscaler_ica_application_termination_time
+      type: long
+    - name: netscaler_ica_application_termination_type
+      type: integer
+    - name: netscaler_ica_channel_id1
+      type: long
+    - name: netscaler_ica_channel_id1_bytes
+      type: long
+    - name: netscaler_ica_channel_id2
+      type: long
+    - name: netscaler_ica_channel_id2_bytes
+      type: long
+    - name: netscaler_ica_channel_id3
+      type: long
+    - name: netscaler_ica_channel_id3_bytes
+      type: long
+    - name: netscaler_ica_channel_id4
+      type: long
+    - name: netscaler_ica_channel_id4_bytes
+      type: long
+    - name: netscaler_ica_channel_id5
+      type: long
+    - name: netscaler_ica_channel_id5_bytes
+      type: long
+    - name: netscaler_ica_client_host_name
+      type: keyword
+    - name: netscaler_ica_client_ip
+      type: ip
+    - name: netscaler_ica_client_launcher
+      type: integer
+    - name: netscaler_ica_client_side_rto_count
+      type: integer
+    - name: netscaler_ica_client_side_window_size
+      type: integer
+    - name: netscaler_ica_client_type
+      type: integer
+    - name: netscaler_ica_clientside_delay
+      type: long
+    - name: netscaler_ica_clientside_jitter
+      type: long
+    - name: netscaler_ica_clientside_packets_retransmit
+      type: integer
+    - name: netscaler_ica_clientside_rtt
+      type: long
+    - name: netscaler_ica_clientside_rx_bytes
+      type: long
+    - name: netscaler_ica_clientside_srtt
+      type: long
+    - name: netscaler_ica_clientside_tx_bytes
+      type: long
+    - name: netscaler_ica_connection_priority
+      type: integer
+    - name: netscaler_ica_device_serial_no
+      type: long
+    - name: netscaler_ica_domain_name
+      type: keyword
+    - name: netscaler_ica_flags
+      type: long
+    - name: netscaler_ica_host_delay
+      type: long
+    - name: netscaler_ica_l7_client_latency
+      type: long
+    - name: netscaler_ica_l7_server_latency
+      type: long
+    - name: netscaler_ica_launch_mechanism
+      type: integer
+    - name: netscaler_ica_network_update_end_time
+      type: long
+    - name: netscaler_ica_network_update_start_time
+      type: long
+    - name: netscaler_ica_rtt
+      type: long
+    - name: netscaler_ica_server_name
+      type: keyword
+    - name: netscaler_ica_server_side_rto_count
+      type: integer
+    - name: netscaler_ica_server_side_window_size
+      type: integer
+    - name: netscaler_ica_serverside_delay
+      type: long
+    - name: netscaler_ica_serverside_jitter
+      type: long
+    - name: netscaler_ica_serverside_packets_retransmit
+      type: integer
+    - name: netscaler_ica_serverside_rtt
+      type: long
+    - name: netscaler_ica_serverside_srtt
+      type: long
+    - name: netscaler_ica_session_end_time
+      type: long
+    - name: netscaler_ica_session_guid
+      type: short
+    - name: netscaler_ica_session_reconnects
+      type: short
+    - name: netscaler_ica_session_setup_time
+      type: long
+    - name: netscaler_ica_session_update_begin_sec
+      type: long
+    - name: netscaler_ica_session_update_end_sec
+      type: long
+    - name: netscaler_ica_username
+      type: keyword
+    - name: netscaler_license_type
+      type: short
+    - name: netscaler_main_page_core_id
+      type: long
+    - name: netscaler_main_page_id
+      type: long
+    - name: netscaler_max_license_count
+      type: long
+    - name: netscaler_msi_client_cookie
+      type: short
+    - name: netscaler_round_trip_time
+      type: long
+    - name: netscaler_server_ttfb
+      type: long
+    - name: netscaler_server_ttlb
+      type: long
+    - name: netscaler_syslog_message
+      type: keyword
+    - name: netscaler_syslog_priority
+      type: short
+    - name: netscaler_syslog_timestamp
+      type: long
+    - name: netscaler_transaction_id
+      type: long
+    - name: netscaler_unknown270
+      type: long
+    - name: netscaler_unknown271
+      type: long
+    - name: netscaler_unknown272
+      type: long
+    - name: netscaler_unknown273
+      type: long
+    - name: netscaler_unknown274
+      type: long
+    - name: netscaler_unknown275
+      type: long
+    - name: netscaler_unknown276
+      type: long
+    - name: netscaler_unknown277
+      type: long
+    - name: netscaler_unknown278
+      type: long
+    - name: netscaler_unknown279
+      type: long
+    - name: netscaler_unknown280
+      type: long
+    - name: netscaler_unknown281
+      type: long
+    - name: netscaler_unknown282
+      type: long
+    - name: netscaler_unknown283
+      type: long
+    - name: netscaler_unknown284
+      type: long
+    - name: netscaler_unknown285
+      type: long
+    - name: netscaler_unknown286
+      type: long
+    - name: netscaler_unknown287
+      type: long
+    - name: netscaler_unknown288
+      type: long
+    - name: netscaler_unknown289
+      type: long
+    - name: netscaler_unknown290
+      type: long
+    - name: netscaler_unknown291
+      type: long
+    - name: netscaler_unknown292
+      type: long
+    - name: netscaler_unknown293
+      type: long
+    - name: netscaler_unknown294
+      type: long
+    - name: netscaler_unknown295
+      type: long
+    - name: netscaler_unknown296
+      type: long
+    - name: netscaler_unknown297
+      type: long
+    - name: netscaler_unknown298
+      type: long
+    - name: netscaler_unknown299
+      type: long
+    - name: netscaler_unknown300
+      type: long
+    - name: netscaler_unknown301
+      type: long
+    - name: netscaler_unknown302
+      type: long
+    - name: netscaler_unknown303
+      type: long
+    - name: netscaler_unknown304
+      type: long
+    - name: netscaler_unknown305
+      type: long
+    - name: netscaler_unknown306
+      type: long
+    - name: netscaler_unknown307
+      type: long
+    - name: netscaler_unknown308
+      type: long
+    - name: netscaler_unknown309
+      type: long
+    - name: netscaler_unknown310
+      type: long
+    - name: netscaler_unknown311
+      type: long
+    - name: netscaler_unknown312
+      type: long
+    - name: netscaler_unknown313
+      type: long
+    - name: netscaler_unknown314
+      type: long
+    - name: netscaler_unknown315
+      type: long
+    - name: netscaler_unknown316
+      type: keyword
+    - name: netscaler_unknown317
+      type: long
+    - name: netscaler_unknown318
+      type: long
+    - name: netscaler_unknown319
+      type: keyword
+    - name: netscaler_unknown320
+      type: integer
+    - name: netscaler_unknown321
+      type: long
+    - name: netscaler_unknown322
+      type: long
+    - name: netscaler_unknown323
+      type: integer
+    - name: netscaler_unknown324
+      type: integer
+    - name: netscaler_unknown325
+      type: integer
+    - name: netscaler_unknown326
+      type: integer
+    - name: netscaler_unknown327
+      type: long
+    - name: netscaler_unknown328
+      type: integer
+    - name: netscaler_unknown329
+      type: integer
+    - name: netscaler_unknown330
+      type: integer
+    - name: netscaler_unknown331
+      type: integer
+    - name: netscaler_unknown332
+      type: long
+    - name: netscaler_unknown333
+      type: keyword
+    - name: netscaler_unknown334
+      type: keyword
+    - name: netscaler_unknown335
+      type: long
+    - name: netscaler_unknown336
+      type: long
+    - name: netscaler_unknown337
+      type: long
+    - name: netscaler_unknown338
+      type: long
+    - name: netscaler_unknown339
+      type: long
+    - name: netscaler_unknown340
+      type: long
+    - name: netscaler_unknown341
+      type: long
+    - name: netscaler_unknown342
+      type: long
+    - name: netscaler_unknown343
+      type: long
+    - name: netscaler_unknown344
+      type: long
+    - name: netscaler_unknown345
+      type: long
+    - name: netscaler_unknown346
+      type: long
+    - name: netscaler_unknown347
+      type: long
+    - name: netscaler_unknown348
+      type: integer
+    - name: netscaler_unknown349
+      type: keyword
+    - name: netscaler_unknown350
+      type: keyword
+    - name: netscaler_unknown351
+      type: keyword
+    - name: netscaler_unknown352
+      type: integer
+    - name: netscaler_unknown353
+      type: long
+    - name: netscaler_unknown354
+      type: long
+    - name: netscaler_unknown355
+      type: long
+    - name: netscaler_unknown356
+      type: long
+    - name: netscaler_unknown357
+      type: long
+    - name: netscaler_unknown363
+      type: short
+    - name: netscaler_unknown383
+      type: short
+    - name: netscaler_unknown391
+      type: long
+    - name: netscaler_unknown398
+      type: long
+    - name: netscaler_unknown404
+      type: long
+    - name: netscaler_unknown405
+      type: long
+    - name: netscaler_unknown427
+      type: long
+    - name: netscaler_unknown429
+      type: short
+    - name: netscaler_unknown432
+      type: short
+    - name: netscaler_unknown433
+      type: short
+    - name: netscaler_unknown453
+      type: long
+    - name: netscaler_unknown465
+      type: long
+    - name: new_connection_delta_count
+      type: long
+    - name: next_header_ipv6
+      type: short
+    - name: non_empty_packet_count
+      type: long
+    - name: not_sent_flow_total_count
+      type: long
+    - name: not_sent_layer2_octet_total_count
+      type: long
+    - name: not_sent_octet_total_count
+      type: long
+    - name: not_sent_packet_total_count
+      type: long
+    - name: observation_domain_id
+      type: long
+    - name: observation_domain_name
+      type: keyword
+    - name: observation_point_id
+      type: long
+    - name: observation_point_type
+      type: short
+    - name: observation_time_microseconds
+      type: date
+    - name: observation_time_milliseconds
+      type: date
+    - name: observation_time_nanoseconds
+      type: date
+    - name: observation_time_seconds
+      type: date
+    - name: observed_flow_total_count
+      type: long
+    - name: octet_delta_count
+      type: long
+    - name: octet_delta_sum_of_squares
+      type: long
+    - name: octet_total_count
+      type: long
+    - name: octet_total_sum_of_squares
+      type: long
+    - name: opaque_octets
+      type: short
+    - name: original_exporter_ipv4_address
+      type: ip
+    - name: original_exporter_ipv6_address
+      type: ip
+    - name: original_flows_completed
+      type: long
+    - name: original_flows_initiated
+      type: long
+    - name: original_flows_present
+      type: long
+    - name: original_observation_domain_id
+      type: long
+    - name: os_finger_print
+      type: keyword
+    - name: os_name
+      type: keyword
+    - name: os_version
+      type: keyword
+    - name: p2p_technology
+      type: keyword
+    - name: packet_delta_count
+      type: long
+    - name: packet_total_count
+      type: long
+    - name: padding_octets
+      type: short
+    - name: payload
+      type: keyword
+    - name: payload_entropy
+      type: short
+    - name: payload_length_ipv6
+      type: integer
+    - name: policy_qos_classification_hierarchy
+      type: long
+    - name: policy_qos_queue_index
+      type: long
+    - name: policy_qos_queuedrops
+      type: long
+    - name: policy_qos_queueindex
+      type: long
+    - name: port_id
+      type: long
+    - name: port_range_end
+      type: integer
+    - name: port_range_num_ports
+      type: integer
+    - name: port_range_start
+      type: integer
+    - name: port_range_step_size
+      type: integer
+    - name: post_destination_mac_address
+      type: keyword
+    - name: post_dot1q_customer_vlan_id
+      type: integer
+    - name: post_dot1q_vlan_id
+      type: integer
+    - name: post_ip_class_of_service
+      type: short
+    - name: post_ip_diff_serv_code_point
+      type: short
+    - name: post_ip_precedence
+      type: short
+    - name: post_layer2_octet_delta_count
+      type: long
+    - name: post_layer2_octet_total_count
+      type: long
+    - name: post_mcast_layer2_octet_delta_count
+      type: long
+    - name: post_mcast_layer2_octet_total_count
+      type: long
+    - name: post_mcast_octet_delta_count
+      type: long
+    - name: post_mcast_octet_total_count
+      type: long
+    - name: post_mcast_packet_delta_count
+      type: long
+    - name: post_mcast_packet_total_count
+      type: long
+    - name: post_mpls_top_label_exp
+      type: short
+    - name: post_napt_destination_transport_port
+      type: integer
+    - name: post_napt_source_transport_port
+      type: integer
+    - name: post_nat_destination_ipv4_address
+      type: ip
+    - name: post_nat_destination_ipv6_address
+      type: ip
+    - name: post_nat_source_ipv4_address
+      type: ip
+    - name: post_nat_source_ipv6_address
+      type: ip
+    - name: post_octet_delta_count
+      type: long
+    - name: post_octet_total_count
+      type: long
+    - name: post_packet_delta_count
+      type: long
+    - name: post_packet_total_count
+      type: long
+    - name: post_source_mac_address
+      type: keyword
+    - name: post_vlan_id
+      type: integer
+    - name: private_enterprise_number
+      type: long
+    - name: procera_apn
+      type: keyword
+    - name: procera_base_service
+      type: keyword
+    - name: procera_content_categories
+      type: keyword
+    - name: procera_device_id
+      type: long
+    - name: procera_external_rtt
+      type: integer
+    - name: procera_flow_behavior
+      type: keyword
+    - name: procera_ggsn
+      type: keyword
+    - name: procera_http_content_type
+      type: keyword
+    - name: procera_http_file_length
+      type: long
+    - name: procera_http_language
+      type: keyword
+    - name: procera_http_location
+      type: keyword
+    - name: procera_http_referer
+      type: keyword
+    - name: procera_http_request_method
+      type: keyword
+    - name: procera_http_request_version
+      type: keyword
+    - name: procera_http_response_status
+      type: integer
+    - name: procera_http_url
+      type: keyword
+    - name: procera_http_user_agent
+      type: keyword
+    - name: procera_imsi
+      type: long
+    - name: procera_incoming_octets
+      type: long
+    - name: procera_incoming_packets
+      type: long
+    - name: procera_incoming_shaping_drops
+      type: long
+    - name: procera_incoming_shaping_latency
+      type: integer
+    - name: procera_internal_rtt
+      type: integer
+    - name: procera_local_ipv4_host
+      type: ip
+    - name: procera_local_ipv6_host
+      type: ip
+    - name: procera_msisdn
+      type: long
+    - name: procera_outgoing_octets
+      type: long
+    - name: procera_outgoing_packets
+      type: long
+    - name: procera_outgoing_shaping_drops
+      type: long
+    - name: procera_outgoing_shaping_latency
+      type: integer
+    - name: procera_property
+      type: keyword
+    - name: procera_qoe_incoming_external
+      type: float
+    - name: procera_qoe_incoming_internal
+      type: float
+    - name: procera_qoe_outgoing_external
+      type: float
+    - name: procera_qoe_outgoing_internal
+      type: float
+    - name: procera_rat
+      type: keyword
+    - name: procera_remote_ipv4_host
+      type: ip
+    - name: procera_remote_ipv6_host
+      type: ip
+    - name: procera_rnc
+      type: integer
+    - name: procera_server_hostname
+      type: keyword
+    - name: procera_service
+      type: keyword
+    - name: procera_sgsn
+      type: keyword
+    - name: procera_subscriber_identifier
+      type: keyword
+    - name: procera_template_name
+      type: keyword
+    - name: procera_user_location_information
+      type: keyword
+    - name: protocol_identifier
+      type: short
+    - name: pseudo_wire_control_word
+      type: long
+    - name: pseudo_wire_destination_ipv4_address
+      type: ip
+    - name: pseudo_wire_id
+      type: long
+    - name: pseudo_wire_type
+      type: integer
+    - name: reason
+      type: long
+    - name: reason_text
+      type: keyword
+    - name: relative_error
+      type: double
+    - name: responder_octets
+      type: long
+    - name: responder_packets
+      type: long
+    - name: reverse_absolute_error
+      type: double
+    - name: reverse_anonymization_flags
+      type: integer
+    - name: reverse_anonymization_technique
+      type: integer
+    - name: reverse_application_category_name
+      type: keyword
+    - name: reverse_application_description
+      type: keyword
+    - name: reverse_application_group_name
+      type: keyword
+    - name: reverse_application_id
+      type: keyword
+    - name: reverse_application_name
+      type: keyword
+    - name: reverse_application_sub_category_name
+      type: keyword
+    - name: reverse_average_interarrival_time
+      type: long
+    - name: reverse_bgp_destination_as_number
+      type: long
+    - name: reverse_bgp_next_adjacent_as_number
+      type: long
+    - name: reverse_bgp_next_hop_ipv4_address
+      type: ip
+    - name: reverse_bgp_next_hop_ipv6_address
+      type: ip
+    - name: reverse_bgp_prev_adjacent_as_number
+      type: long
+    - name: reverse_bgp_source_as_number
+      type: long
+    - name: reverse_bgp_validity_state
+      type: short
+    - name: reverse_class_id
+      type: short
+    - name: reverse_class_name
+      type: keyword
+    - name: reverse_classification_engine_id
+      type: short
+    - name: reverse_collection_time_milliseconds
+      type: long
+    - name: reverse_collector_certificate
+      type: keyword
+    - name: reverse_confidence_level
+      type: double
+    - name: reverse_connection_sum_duration_seconds
+      type: long
+    - name: reverse_connection_transaction_id
+      type: long
+    - name: reverse_data_byte_count
+      type: long
+    - name: reverse_data_link_frame_section
+      type: keyword
+    - name: reverse_data_link_frame_size
+      type: integer
+    - name: reverse_data_link_frame_type
+      type: integer
+    - name: reverse_data_records_reliability
+      type: short
+    - name: reverse_delta_flow_count
+      type: long
+    - name: reverse_destination_ipv4_address
+      type: ip
+    - name: reverse_destination_ipv4_prefix
+      type: ip
+    - name: reverse_destination_ipv4_prefix_length
+      type: short
+    - name: reverse_destination_ipv6_address
+      type: ip
+    - name: reverse_destination_ipv6_prefix
+      type: ip
+    - name: reverse_destination_ipv6_prefix_length
+      type: short
+    - name: reverse_destination_mac_address
+      type: keyword
+    - name: reverse_destination_transport_port
+      type: integer
+    - name: reverse_digest_hash_value
+      type: long
+    - name: reverse_distinct_count_of_destination_ip_address
+      type: long
+    - name: reverse_distinct_count_of_destination_ipv4_address
+      type: long
+    - name: reverse_distinct_count_of_destination_ipv6_address
+      type: long
+    - name: reverse_distinct_count_of_source_ip_address
+      type: long
+    - name: reverse_distinct_count_of_source_ipv4_address
+      type: long
+    - name: reverse_distinct_count_of_source_ipv6_address
+      type: long
+    - name: reverse_dot1q_customer_dei
+      type: short
+    - name: reverse_dot1q_customer_destination_mac_address
+      type: keyword
+    - name: reverse_dot1q_customer_priority
+      type: short
+    - name: reverse_dot1q_customer_source_mac_address
+      type: keyword
+    - name: reverse_dot1q_customer_vlan_id
+      type: integer
+    - name: reverse_dot1q_dei
+      type: short
+    - name: reverse_dot1q_priority
+      type: short
+    - name: reverse_dot1q_service_instance_id
+      type: long
+    - name: reverse_dot1q_service_instance_priority
+      type: short
+    - name: reverse_dot1q_service_instance_tag
+      type: keyword
+    - name: reverse_dot1q_vlan_id
+      type: integer
+    - name: reverse_dropped_layer2_octet_delta_count
+      type: long
+    - name: reverse_dropped_layer2_octet_total_count
+      type: long
+    - name: reverse_dropped_octet_delta_count
+      type: long
+    - name: reverse_dropped_octet_total_count
+      type: long
+    - name: reverse_dropped_packet_delta_count
+      type: long
+    - name: reverse_dropped_packet_total_count
+      type: long
+    - name: reverse_dst_traffic_index
+      type: long
+    - name: reverse_egress_broadcast_packet_total_count
+      type: long
+    - name: reverse_egress_interface
+      type: long
+    - name: reverse_egress_interface_type
+      type: long
+    - name: reverse_egress_physical_interface
+      type: long
+    - name: reverse_egress_unicast_packet_total_count
+      type: long
+    - name: reverse_egress_vrfid
+      type: long
+    - name: reverse_encrypted_technology
+      type: keyword
+    - name: reverse_engine_id
+      type: short
+    - name: reverse_engine_type
+      type: short
+    - name: reverse_ethernet_header_length
+      type: short
+    - name: reverse_ethernet_payload_length
+      type: integer
+    - name: reverse_ethernet_total_length
+      type: integer
+    - name: reverse_ethernet_type
+      type: integer
+    - name: reverse_export_sctp_stream_id
+      type: integer
+    - name: reverse_exporter_certificate
+      type: keyword
+    - name: reverse_exporting_process_id
+      type: long
+    - name: reverse_firewall_event
+      type: short
+    - name: reverse_first_non_empty_packet_size
+      type: integer
+    - name: reverse_first_packet_banner
+      type: keyword
+    - name: reverse_flags_and_sampler_id
+      type: long
+    - name: reverse_flow_active_timeout
+      type: integer
+    - name: reverse_flow_attributes
+      type: integer
+    - name: reverse_flow_delta_milliseconds
+      type: long
+    - name: reverse_flow_direction
+      type: short
+    - name: reverse_flow_duration_microseconds
+      type: long
+    - name: reverse_flow_duration_milliseconds
+      type: long
+    - name: reverse_flow_end_delta_microseconds
+      type: long
+    - name: reverse_flow_end_microseconds
+      type: long
+    - name: reverse_flow_end_milliseconds
+      type: long
+    - name: reverse_flow_end_nanoseconds
+      type: long
+    - name: reverse_flow_end_reason
+      type: short
+    - name: reverse_flow_end_seconds
+      type: long
+    - name: reverse_flow_end_sys_up_time
+      type: long
+    - name: reverse_flow_idle_timeout
+      type: integer
+    - name: reverse_flow_label_ipv6
+      type: long
+    - name: reverse_flow_sampling_time_interval
+      type: long
+    - name: reverse_flow_sampling_time_spacing
+      type: long
+    - name: reverse_flow_selected_flow_delta_count
+      type: long
+    - name: reverse_flow_selected_octet_delta_count
+      type: long
+    - name: reverse_flow_selected_packet_delta_count
+      type: long
+    - name: reverse_flow_selector_algorithm
+      type: integer
+    - name: reverse_flow_start_delta_microseconds
+      type: long
+    - name: reverse_flow_start_microseconds
+      type: long
+    - name: reverse_flow_start_milliseconds
+      type: long
+    - name: reverse_flow_start_nanoseconds
+      type: long
+    - name: reverse_flow_start_seconds
+      type: long
+    - name: reverse_flow_start_sys_up_time
+      type: long
+    - name: reverse_forwarding_status
+      type: long
+    - name: reverse_fragment_flags
+      type: short
+    - name: reverse_fragment_identification
+      type: long
+    - name: reverse_fragment_offset
+      type: integer
+    - name: reverse_gre_key
+      type: long
+    - name: reverse_hash_digest_output
+      type: short
+    - name: reverse_hash_flow_domain
+      type: integer
+    - name: reverse_hash_initialiser_value
+      type: long
+    - name: reverse_hash_ip_payload_offset
+      type: long
+    - name: reverse_hash_ip_payload_size
+      type: long
+    - name: reverse_hash_output_range_max
+      type: long
+    - name: reverse_hash_output_range_min
+      type: long
+    - name: reverse_hash_selected_range_max
+      type: long
+    - name: reverse_hash_selected_range_min
+      type: long
+    - name: reverse_icmp_code_ipv4
+      type: short
+    - name: reverse_icmp_code_ipv6
+      type: short
+    - name: reverse_icmp_type_code_ipv4
+      type: integer
+    - name: reverse_icmp_type_code_ipv6
+      type: integer
+    - name: reverse_icmp_type_ipv4
+      type: short
+    - name: reverse_icmp_type_ipv6
+      type: short
+    - name: reverse_igmp_type
+      type: short
+    - name: reverse_ignored_data_record_total_count
+      type: long
+    - name: reverse_ignored_layer2_frame_total_count
+      type: long
+    - name: reverse_ignored_layer2_octet_total_count
+      type: long
+    - name: reverse_information_element_data_type
+      type: short
+    - name: reverse_information_element_description
+      type: keyword
+    - name: reverse_information_element_id
+      type: integer
+    - name: reverse_information_element_index
+      type: integer
+    - name: reverse_information_element_name
+      type: keyword
+    - name: reverse_information_element_range_begin
+      type: long
+    - name: reverse_information_element_range_end
+      type: long
+    - name: reverse_information_element_semantics
+      type: short
+    - name: reverse_information_element_units
+      type: integer
+    - name: reverse_ingress_broadcast_packet_total_count
+      type: long
+    - name: reverse_ingress_interface
+      type: long
+    - name: reverse_ingress_interface_type
+      type: long
+    - name: reverse_ingress_multicast_packet_total_count
+      type: long
+    - name: reverse_ingress_physical_interface
+      type: long
+    - name: reverse_ingress_unicast_packet_total_count
+      type: long
+    - name: reverse_ingress_vrfid
+      type: long
+    - name: reverse_initial_tcp_flags
+      type: short
+    - name: reverse_initiator_octets
+      type: long
+    - name: reverse_initiator_packets
+      type: long
+    - name: reverse_interface_description
+      type: keyword
+    - name: reverse_interface_name
+      type: keyword
+    - name: reverse_intermediate_process_id
+      type: long
+    - name: reverse_ip_class_of_service
+      type: short
+    - name: reverse_ip_diff_serv_code_point
+      type: short
+    - name: reverse_ip_header_length
+      type: short
+    - name: reverse_ip_header_packet_section
+      type: keyword
+    - name: reverse_ip_next_hop_ipv4_address
+      type: ip
+    - name: reverse_ip_next_hop_ipv6_address
+      type: ip
+    - name: reverse_ip_payload_length
+      type: long
+    - name: reverse_ip_payload_packet_section
+      type: keyword
+    - name: reverse_ip_precedence
+      type: short
+    - name: reverse_ip_sec_spi
+      type: long
+    - name: reverse_ip_total_length
+      type: long
+    - name: reverse_ip_ttl
+      type: short
+    - name: reverse_ip_version
+      type: short
+    - name: reverse_ipv4_ihl
+      type: short
+    - name: reverse_ipv4_options
+      type: long
+    - name: reverse_ipv4_router_sc
+      type: ip
+    - name: reverse_ipv6_extension_headers
+      type: long
+    - name: reverse_is_multicast
+      type: short
+    - name: reverse_large_packet_count
+      type: long
+    - name: reverse_layer2_frame_delta_count
+      type: long
+    - name: reverse_layer2_frame_total_count
+      type: long
+    - name: reverse_layer2_octet_delta_count
+      type: long
+    - name: reverse_layer2_octet_delta_sum_of_squares
+      type: long
+    - name: reverse_layer2_octet_total_count
+      type: long
+    - name: reverse_layer2_octet_total_sum_of_squares
+      type: long
+    - name: reverse_layer2_segment_id
+      type: long
+    - name: reverse_layer2packet_section_data
+      type: keyword
+    - name: reverse_layer2packet_section_offset
+      type: integer
+    - name: reverse_layer2packet_section_size
+      type: integer
+    - name: reverse_line_card_id
+      type: long
+    - name: reverse_lower_ci_limit
+      type: double
+    - name: reverse_max_export_seconds
+      type: long
+    - name: reverse_max_flow_end_microseconds
+      type: long
+    - name: reverse_max_flow_end_milliseconds
+      type: long
+    - name: reverse_max_flow_end_nanoseconds
+      type: long
+    - name: reverse_max_flow_end_seconds
+      type: long
+    - name: reverse_max_packet_size
+      type: integer
+    - name: reverse_maximum_ip_total_length
+      type: long
+    - name: reverse_maximum_layer2_total_length
+      type: long
+    - name: reverse_maximum_ttl
+      type: short
+    - name: reverse_message_md5_checksum
+      type: keyword
+    - name: reverse_message_scope
+      type: short
+    - name: reverse_metering_process_id
+      type: long
+    - name: reverse_metro_evc_id
+      type: keyword
+    - name: reverse_metro_evc_type
+      type: short
+    - name: reverse_min_export_seconds
+      type: long
+    - name: reverse_min_flow_start_microseconds
+      type: long
+    - name: reverse_min_flow_start_milliseconds
+      type: long
+    - name: reverse_min_flow_start_nanoseconds
+      type: long
+    - name: reverse_min_flow_start_seconds
+      type: long
+    - name: reverse_minimum_ip_total_length
+      type: long
+    - name: reverse_minimum_layer2_total_length
+      type: long
+    - name: reverse_minimum_ttl
+      type: short
+    - name: reverse_monitoring_interval_end_milli_seconds
+      type: long
+    - name: reverse_monitoring_interval_start_milli_seconds
+      type: long
+    - name: reverse_mpls_label_stack_depth
+      type: long
+    - name: reverse_mpls_label_stack_length
+      type: long
+    - name: reverse_mpls_label_stack_section
+      type: keyword
+    - name: reverse_mpls_label_stack_section10
+      type: keyword
+    - name: reverse_mpls_label_stack_section2
+      type: keyword
+    - name: reverse_mpls_label_stack_section3
+      type: keyword
+    - name: reverse_mpls_label_stack_section4
+      type: keyword
+    - name: reverse_mpls_label_stack_section5
+      type: keyword
+    - name: reverse_mpls_label_stack_section6
+      type: keyword
+    - name: reverse_mpls_label_stack_section7
+      type: keyword
+    - name: reverse_mpls_label_stack_section8
+      type: keyword
+    - name: reverse_mpls_label_stack_section9
+      type: keyword
+    - name: reverse_mpls_payload_length
+      type: long
+    - name: reverse_mpls_payload_packet_section
+      type: keyword
+    - name: reverse_mpls_top_label_exp
+      type: short
+    - name: reverse_mpls_top_label_ipv4_address
+      type: ip
+    - name: reverse_mpls_top_label_ipv6_address
+      type: ip
+    - name: reverse_mpls_top_label_prefix_length
+      type: short
+    - name: reverse_mpls_top_label_stack_section
+      type: keyword
+    - name: reverse_mpls_top_label_ttl
+      type: short
+    - name: reverse_mpls_top_label_type
+      type: short
+    - name: reverse_mpls_vpn_route_distinguisher
+      type: keyword
+    - name: reverse_multicast_replication_factor
+      type: long
+    - name: reverse_nat_event
+      type: short
+    - name: reverse_nat_originating_address_realm
+      type: short
+    - name: reverse_nat_pool_id
+      type: long
+    - name: reverse_nat_pool_name
+      type: keyword
+    - name: reverse_nat_type
+      type: short
+    - name: reverse_new_connection_delta_count
+      type: long
+    - name: reverse_next_header_ipv6
+      type: short
+    - name: reverse_non_empty_packet_count
+      type: long
+    - name: reverse_not_sent_layer2_octet_total_count
+      type: long
+    - name: reverse_observation_domain_name
+      type: keyword
+    - name: reverse_observation_point_id
+      type: long
+    - name: reverse_observation_point_type
+      type: short
+    - name: reverse_observation_time_microseconds
+      type: long
+    - name: reverse_observation_time_milliseconds
+      type: long
+    - name: reverse_observation_time_nanoseconds
+      type: long
+    - name: reverse_observation_time_seconds
+      type: long
+    - name: reverse_octet_delta_count
+      type: long
+    - name: reverse_octet_delta_sum_of_squares
+      type: long
+    - name: reverse_octet_total_count
+      type: long
+    - name: reverse_octet_total_sum_of_squares
+      type: long
+    - name: reverse_opaque_octets
+      type: keyword
+    - name: reverse_original_exporter_ipv4_address
+      type: ip
+    - name: reverse_original_exporter_ipv6_address
+      type: ip
+    - name: reverse_original_flows_completed
+      type: long
+    - name: reverse_original_flows_initiated
+      type: long
+    - name: reverse_original_flows_present
+      type: long
+    - name: reverse_original_observation_domain_id
+      type: long
+    - name: reverse_os_finger_print
+      type: keyword
+    - name: reverse_os_name
+      type: keyword
+    - name: reverse_os_version
+      type: keyword
+    - name: reverse_p2p_technology
+      type: keyword
+    - name: reverse_packet_delta_count
+      type: long
+    - name: reverse_packet_total_count
+      type: long
+    - name: reverse_payload
+      type: keyword
+    - name: reverse_payload_entropy
+      type: short
+    - name: reverse_payload_length_ipv6
+      type: integer
+    - name: reverse_port_id
+      type: long
+    - name: reverse_port_range_end
+      type: integer
+    - name: reverse_port_range_num_ports
+      type: integer
+    - name: reverse_port_range_start
+      type: integer
+    - name: reverse_port_range_step_size
+      type: integer
+    - name: reverse_post_destination_mac_address
+      type: keyword
+    - name: reverse_post_dot1q_customer_vlan_id
+      type: integer
+    - name: reverse_post_dot1q_vlan_id
+      type: integer
+    - name: reverse_post_ip_class_of_service
+      type: short
+    - name: reverse_post_ip_diff_serv_code_point
+      type: short
+    - name: reverse_post_ip_precedence
+      type: short
+    - name: reverse_post_layer2_octet_delta_count
+      type: long
+    - name: reverse_post_layer2_octet_total_count
+      type: long
+    - name: reverse_post_mcast_layer2_octet_delta_count
+      type: long
+    - name: reverse_post_mcast_layer2_octet_total_count
+      type: long
+    - name: reverse_post_mcast_octet_delta_count
+      type: long
+    - name: reverse_post_mcast_octet_total_count
+      type: long
+    - name: reverse_post_mcast_packet_delta_count
+      type: long
+    - name: reverse_post_mcast_packet_total_count
+      type: long
+    - name: reverse_post_mpls_top_label_exp
+      type: short
+    - name: reverse_post_napt_destination_transport_port
+      type: integer
+    - name: reverse_post_napt_source_transport_port
+      type: integer
+    - name: reverse_post_nat_destination_ipv4_address
+      type: ip
+    - name: reverse_post_nat_destination_ipv6_address
+      type: ip
+    - name: reverse_post_nat_source_ipv4_address
+      type: ip
+    - name: reverse_post_nat_source_ipv6_address
+      type: ip
+    - name: reverse_post_octet_delta_count
+      type: long
+    - name: reverse_post_octet_total_count
+      type: long
+    - name: reverse_post_packet_delta_count
+      type: long
+    - name: reverse_post_packet_total_count
+      type: long
+    - name: reverse_post_source_mac_address
+      type: keyword
+    - name: reverse_post_vlan_id
+      type: integer
+    - name: reverse_private_enterprise_number
+      type: long
+    - name: reverse_protocol_identifier
+      type: short
+    - name: reverse_pseudo_wire_control_word
+      type: long
+    - name: reverse_pseudo_wire_destination_ipv4_address
+      type: ip
+    - name: reverse_pseudo_wire_id
+      type: long
+    - name: reverse_pseudo_wire_type
+      type: integer
+    - name: reverse_relative_error
+      type: double
+    - name: reverse_responder_octets
+      type: long
+    - name: reverse_responder_packets
+      type: long
+    - name: reverse_rfc3550_jitter_microseconds
+      type: long
+    - name: reverse_rfc3550_jitter_milliseconds
+      type: long
+    - name: reverse_rfc3550_jitter_nanoseconds
+      type: long
+    - name: reverse_rtp_payload_type
+      type: short
+    - name: reverse_rtp_sequence_number
+      type: integer
+    - name: reverse_sampler_id
+      type: short
+    - name: reverse_sampler_mode
+      type: short
+    - name: reverse_sampler_name
+      type: keyword
+    - name: reverse_sampler_random_interval
+      type: long
+    - name: reverse_sampling_algorithm
+      type: short
+    - name: reverse_sampling_flow_interval
+      type: long
+    - name: reverse_sampling_flow_spacing
+      type: long
+    - name: reverse_sampling_interval
+      type: long
+    - name: reverse_sampling_packet_interval
+      type: long
+    - name: reverse_sampling_packet_space
+      type: long
+    - name: reverse_sampling_population
+      type: long
+    - name: reverse_sampling_probability
+      type: double
+    - name: reverse_sampling_size
+      type: long
+    - name: reverse_sampling_time_interval
+      type: long
+    - name: reverse_sampling_time_space
+      type: long
+    - name: reverse_second_packet_banner
+      type: keyword
+    - name: reverse_section_exported_octets
+      type: integer
+    - name: reverse_section_offset
+      type: integer
+    - name: reverse_selection_sequence_id
+      type: long
+    - name: reverse_selector_algorithm
+      type: integer
+    - name: reverse_selector_id
+      type: long
+    - name: reverse_selector_id_total_flows_observed
+      type: long
+    - name: reverse_selector_id_total_flows_selected
+      type: long
+    - name: reverse_selector_id_total_pkts_observed
+      type: long
+    - name: reverse_selector_id_total_pkts_selected
+      type: long
+    - name: reverse_selector_name
+      type: keyword
+    - name: reverse_session_scope
+      type: short
+    - name: reverse_small_packet_count
+      type: long
+    - name: reverse_source_ipv4_address
+      type: ip
+    - name: reverse_source_ipv4_prefix
+      type: ip
+    - name: reverse_source_ipv4_prefix_length
+      type: short
+    - name: reverse_source_ipv6_address
+      type: ip
+    - name: reverse_source_ipv6_prefix
+      type: ip
+    - name: reverse_source_ipv6_prefix_length
+      type: short
+    - name: reverse_source_mac_address
+      type: keyword
+    - name: reverse_source_transport_port
+      type: integer
+    - name: reverse_src_traffic_index
+      type: long
+    - name: reverse_sta_ipv4_address
+      type: ip
+    - name: reverse_sta_mac_address
+      type: keyword
+    - name: reverse_standard_deviation_interarrival_time
+      type: long
+    - name: reverse_standard_deviation_payload_length
+      type: integer
+    - name: reverse_system_init_time_milliseconds
+      type: long
+    - name: reverse_tcp_ack_total_count
+      type: long
+    - name: reverse_tcp_acknowledgement_number
+      type: long
+    - name: reverse_tcp_control_bits
+      type: integer
+    - name: reverse_tcp_destination_port
+      type: integer
+    - name: reverse_tcp_fin_total_count
+      type: long
+    - name: reverse_tcp_header_length
+      type: short
+    - name: reverse_tcp_options
+      type: long
+    - name: reverse_tcp_psh_total_count
+      type: long
+    - name: reverse_tcp_rst_total_count
+      type: long
+    - name: reverse_tcp_sequence_number
+      type: long
+    - name: reverse_tcp_source_port
+      type: integer
+    - name: reverse_tcp_syn_total_count
+      type: long
+    - name: reverse_tcp_urg_total_count
+      type: long
+    - name: reverse_tcp_urgent_pointer
+      type: integer
+    - name: reverse_tcp_window_scale
+      type: integer
+    - name: reverse_tcp_window_size
+      type: integer
+    - name: reverse_total_length_ipv4
+      type: integer
+    - name: reverse_transport_octet_delta_count
+      type: long
+    - name: reverse_transport_packet_delta_count
+      type: long
+    - name: reverse_tunnel_technology
+      type: keyword
+    - name: reverse_udp_destination_port
+      type: integer
+    - name: reverse_udp_message_length
+      type: integer
+    - name: reverse_udp_source_port
+      type: integer
+    - name: reverse_union_tcp_flags
+      type: short
+    - name: reverse_upper_ci_limit
+      type: double
+    - name: reverse_user_name
+      type: keyword
+    - name: reverse_value_distribution_method
+      type: short
+    - name: reverse_virtual_station_interface_id
+      type: keyword
+    - name: reverse_virtual_station_interface_name
+      type: keyword
+    - name: reverse_virtual_station_name
+      type: keyword
+    - name: reverse_virtual_station_uuid
+      type: keyword
+    - name: reverse_vlan_id
+      type: integer
+    - name: reverse_vr_fname
+      type: keyword
+    - name: reverse_wlan_channel_id
+      type: short
+    - name: reverse_wlan_ssid
+      type: keyword
+    - name: reverse_wtp_mac_address
+      type: keyword
+    - name: rfc3550_jitter_microseconds
+      type: long
+    - name: rfc3550_jitter_milliseconds
+      type: long
+    - name: rfc3550_jitter_nanoseconds
+      type: long
+    - name: rtp_payload_type
+      type: short
+    - name: rtp_sequence_number
+      type: integer
+    - name: sampler_id
+      type: short
+    - name: sampler_mode
+      type: short
+    - name: sampler_name
+      type: keyword
+    - name: sampler_random_interval
+      type: long
+    - name: sampling_algorithm
+      type: short
+    - name: sampling_flow_interval
+      type: long
+    - name: sampling_flow_spacing
+      type: long
+    - name: sampling_interval
+      type: long
+    - name: sampling_packet_interval
+      type: long
+    - name: sampling_packet_space
+      type: long
+    - name: sampling_population
+      type: long
+    - name: sampling_probability
+      type: double
+    - name: sampling_size
+      type: long
+    - name: sampling_time_interval
+      type: long
+    - name: sampling_time_space
+      type: long
+    - name: second_packet_banner
+      type: keyword
+    - name: section_exported_octets
+      type: integer
+    - name: section_offset
+      type: integer
+    - name: selection_sequence_id
+      type: long
+    - name: selector_algorithm
+      type: integer
+    - name: selector_id
+      type: long
+    - name: selector_id_total_flows_observed
+      type: long
+    - name: selector_id_total_flows_selected
+      type: long
+    - name: selector_id_total_pkts_observed
+      type: long
+    - name: selector_id_total_pkts_selected
+      type: long
+    - name: selector_name
+      type: keyword
+    - name: service_name
+      type: keyword
+    - name: session_scope
+      type: short
+    - name: silk_app_label
+      type: integer
+    - name: small_packet_count
+      type: long
+    - name: source_ipv4_address
+      type: ip
+    - name: source_ipv4_prefix
+      type: ip
+    - name: source_ipv4_prefix_length
+      type: short
+    - name: source_ipv6_address
+      type: ip
+    - name: source_ipv6_prefix
+      type: ip
+    - name: source_ipv6_prefix_length
+      type: short
+    - name: source_mac_address
+      type: keyword
+    - name: source_transport_port
+      type: integer
+    - name: source_transport_ports_limit
+      type: integer
+    - name: src_traffic_index
+      type: long
+    - name: ssl_cert_serial_number
+      type: keyword
+    - name: ssl_cert_signature
+      type: keyword
+    - name: ssl_cert_validity_not_after
+      type: keyword
+    - name: ssl_cert_validity_not_before
+      type: keyword
+    - name: ssl_cert_version
+      type: short
+    - name: ssl_certificate_hash
+      type: keyword
+    - name: ssl_cipher
+      type: keyword
+    - name: ssl_client_version
+      type: short
+    - name: ssl_compression_method
+      type: short
+    - name: ssl_object_type
+      type: keyword
+    - name: ssl_object_value
+      type: keyword
+    - name: ssl_public_key_algorithm
+      type: keyword
+    - name: ssl_public_key_length
+      type: keyword
+    - name: ssl_server_cipher
+      type: long
+    - name: ssl_server_name
+      type: keyword
+    - name: sta_ipv4_address
+      type: ip
+    - name: sta_mac_address
+      type: keyword
+    - name: standard_deviation_interarrival_time
+      type: long
+    - name: standard_deviation_payload_length
+      type: short
+    - name: system_init_time_milliseconds
+      type: date
+    - name: tcp_ack_total_count
+      type: long
+    - name: tcp_acknowledgement_number
+      type: long
+    - name: tcp_control_bits
+      type: integer
+    - name: tcp_destination_port
+      type: integer
+    - name: tcp_fin_total_count
+      type: long
+    - name: tcp_header_length
+      type: short
+    - name: tcp_options
+      type: long
+    - name: tcp_psh_total_count
+      type: long
+    - name: tcp_rst_total_count
+      type: long
+    - name: tcp_sequence_number
+      type: long
+    - name: tcp_source_port
+      type: integer
+    - name: tcp_syn_total_count
+      type: long
+    - name: tcp_urg_total_count
+      type: long
+    - name: tcp_urgent_pointer
+      type: integer
+    - name: tcp_window_scale
+      type: integer
+    - name: tcp_window_size
+      type: integer
+    - name: template_id
+      type: integer
+    - name: tftp_filename
+      type: keyword
+    - name: tftp_mode
+      type: keyword
+    - name: timestamp
+      type: long
+    - name: timestamp_absolute_monitoring-interval
+      type: long
+    - name: total_length_ipv4
+      type: integer
+    - name: traffic_type
+      type: short
+    - name: transport_octet_delta_count
+      type: long
+    - name: transport_packet_delta_count
+      type: long
+    - name: tunnel_technology
+      type: keyword
+    - name: udp_destination_port
+      type: integer
+    - name: udp_message_length
+      type: integer
+    - name: udp_source_port
+      type: integer
+    - name: union_tcp_flags
+      type: short
+    - name: upper_ci_limit
+      type: double
+    - name: user_name
+      type: keyword
+    - name: username
+      type: keyword
+    - name: value_distribution_method
+      type: short
+    - name: viptela_vpn_id
+      type: long
+    - name: virtual_station_interface_id
+      type: short
+    - name: virtual_station_interface_name
+      type: keyword
+    - name: virtual_station_name
+      type: keyword
+    - name: virtual_station_uuid
+      type: short
+    - name: vlan_id
+      type: integer
+    - name: vmware_egress_interface_attr
+      type: integer
+    - name: vmware_ingress_interface_attr
+      type: integer
+    - name: vmware_tenant_dest_ipv4
+      type: ip
+    - name: vmware_tenant_dest_ipv6
+      type: ip
+    - name: vmware_tenant_dest_port
+      type: integer
+    - name: vmware_tenant_protocol
+      type: short
+    - name: vmware_tenant_source_ipv4
+      type: ip
+    - name: vmware_tenant_source_ipv6
+      type: ip
+    - name: vmware_tenant_source_port
+      type: integer
+    - name: vmware_vxlan_export_role
+      type: short
+    - name: vpn_identifier
+      type: short
+    - name: vr_fname
+      type: keyword
+    - name: waasoptimization_segment
+      type: short
+    - name: wlan_channel_id
+      type: short
+    - name: wlan_ssid
+      type: keyword
+    - name: wtp_mac_address
+      type: keyword
+    - name: xlate_destination_address_ip_v4
+      type: ip
+    - name: xlate_destination_port
+      type: integer
+    - name: xlate_source_address_ip_v4
+      type: ip
+    - name: xlate_source_port
+      type: integer
diff --git a/packages/endace/data_stream/log/manifest.yml b/packages/endace/data_stream/log/manifest.yml
new file mode 100644
index 00000000000..5d7858a7536
--- /dev/null
+++ b/packages/endace/data_stream/log/manifest.yml
@@ -0,0 +1,95 @@
+title: NetFlow logs
+type: logs
+streams:
+  - input: netflow
+    template_path: netflow.yml.hbs
+    title: Collect NetFlow logs
+    enabled: false
+    description: Collect NetFlow logs using the netflow input
+    vars:
+      - name: host
+        type: text
+        title: UDP host to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: localhost
+      - name: port
+        type: integer
+        title: UDP port to listen on
+        multi: false
+        required: true
+        show_user: true
+        default: 2055
+      - name: expiration_timeout
+        type: text
+        title: Time duration before an idle session or unused template is expired. Valid time units are h, m, s.
+        multi: false
+        required: true
+        show_user: false
+        default: 30m
+      - name: internal_networks
+        type: text
+        title: Internal Networks
+        description: List of CIDR ranges describing the IP addresses that is considered internal. This is used in determining the values of `source.locality`, `destination.locality`, and `flow.locality`. The values can be either a CIDR value or one of the named ranges supported by the <<condition-network, `network`>> condition. The default value is `[private]` which classifies RFC 1918 (IPv4) and RFC 4193 (IPv6) addresses as internal.
+        multi: true
+        required: false
+        show_user: true
+      - name: queue_size
+        type: integer
+        title: Maximum number of packets that can be queued for processing
+        multi: false
+        required: true
+        show_user: false
+        default: 8192
+      - name: read_buffer
+        type: text
+        title: Read Buffer Size
+        description: |
+          Sets the size of the OS read buffer on the UDP socket in the format KiB/MiB, an example would be: 10KiB. If it is not set, the existing operating system's default value is used.
+        required: false
+        show_user: false
+      - name: custom_definitions
+        type: text
+        title: Custom definitions
+        multi: true
+        required: false
+        show_user: false
+        default: ""
+      - name: detect_sequence_reset
+        type: bool
+        title: Whether to detect sequence reset
+        multi: false
+        required: true
+        show_user: false
+        default: true
+      - name: max_message_size
+        type: text
+        title: Maximum size of the message received over UDP
+        multi: false
+        required: true
+        show_user: false
+        default: 10KiB
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: false
+        show_user: false
+        default:
+          - netflow
+          - forwarded
+      - name: timeout
+        type: text
+        title: Read timeout for socket operations. Valid time units are ns, us, ms, s, m, h.
+        multi: false
+        required: false
+        show_user: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >-
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
diff --git a/packages/endace/data_stream/log/sample_event.json b/packages/endace/data_stream/log/sample_event.json
new file mode 100644
index 00000000000..6b21d466690
--- /dev/null
+++ b/packages/endace/data_stream/log/sample_event.json
@@ -0,0 +1,123 @@
+{
+    "@timestamp": "2018-07-03T10:47:00.000Z",
+    "agent": {
+        "ephemeral_id": "305f6431-67ab-4e0f-8805-2b9d97ae3923",
+        "id": "246fcb7f-fa5e-4375-95d0-e7962f456b94",
+        "name": "docker-fleet-agent",
+        "type": "filebeat",
+        "version": "8.7.1"
+    },
+    "client": {
+        "bytes": 719,
+        "packets": 5
+    },
+    "data_stream": {
+        "dataset": "endace.log",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 0,
+        "packets": 0
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "elastic_agent": {
+        "id": "246fcb7f-fa5e-4375-95d0-e7962f456b94",
+        "snapshot": false,
+        "version": "8.7.1"
+    },
+    "event": {
+        "action": "netflow_flow",
+        "agent_id_status": "verified",
+        "category": [
+            "network",
+            "session"
+        ],
+        "created": "2023-07-19T13:23:37.227Z",
+        "dataset": "endace.log",
+        "ingested": "2023-07-19T13:23:38Z",
+        "kind": "event",
+        "type": [
+            "connection"
+        ]
+    },
+    "flow": {
+        "id": "Vhs9T5k296w",
+        "locality": "internal"
+    },
+    "input": {
+        "type": "netflow"
+    },
+    "netflow": {
+        "application_id": [
+            3,
+            0,
+            0,
+            80
+        ],
+        "art_client_network_time_sum": 0,
+        "art_count_late_responses": 0,
+        "art_count_responses": 0,
+        "art_count_retransmissions": 0,
+        "art_count_transactions": 0,
+        "art_network_time_sum": 0,
+        "art_response_time_sum": 0,
+        "art_server_network_time_sum": 0,
+        "art_server_response_time_maximum": 0,
+        "art_server_response_time_sum": 0,
+        "art_total_response_time_sum": 0,
+        "art_total_transaction_time_sum": 0,
+        "biflow_direction": 1,
+        "connection_sum_duration_seconds": 0,
+        "egress_interface": 13,
+        "exporter": {
+            "address": "172.28.0.4:42750",
+            "source_id": 512,
+            "timestamp": "2018-07-03T10:47:00.000Z",
+            "uptime_millis": 0,
+            "version": 10
+        },
+        "flow_end_sys_up_time": 564184158,
+        "flow_start_sys_up_time": 564184140,
+        "ingress_interface": 10,
+        "ingress_vrfid": 0,
+        "initiator_octets": 719,
+        "initiator_packets": 5,
+        "ip_diff_serv_code_point": 0,
+        "ip_ttl": 49,
+        "new_connection_delta_count": 1,
+        "protocol_identifier": 6,
+        "responder_octets": 0,
+        "responder_packets": 0,
+        "type": "netflow_flow",
+        "vlan_id": 0,
+        "waasoptimization_segment": 16
+    },
+    "network": {
+        "bytes": 719,
+        "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
+        "direction": "unknown",
+        "iana_number": "6",
+        "packets": 5,
+        "transport": "tcp"
+    },
+    "observer": {
+        "ip": [
+            "172.28.0.4"
+        ]
+    },
+    "server": {
+        "bytes": 0,
+        "packets": 0
+    },
+    "source": {
+        "bytes": 719,
+        "packets": 5
+    },
+    "tags": [
+        "netflow",
+        "forwarded"
+    ]
+}
diff --git a/packages/endace/docs/README.md b/packages/endace/docs/README.md
new file mode 100644
index 00000000000..1fb0ae4968b
--- /dev/null
+++ b/packages/endace/docs/README.md
@@ -0,0 +1,400 @@
+# Network Packet Capture Integration
+
+This integration sniffs network packets on a host and dissects
+known protocols.
+
+Monitoring your network traffic is critical to gaining observability and
+securing your environment — ensuring high levels of performance and security.
+The Network Packet Capture integration captures the network traffic between
+your application servers, decodes common application layer protocols and
+records the interesting fields for each transaction.
+
+## Supported Protocols
+
+Currently, Network Packet Capture supports the following protocols:
+
+-   ICMP (v4 and v6)
+-   DHCP (v4)
+-   DNS
+-   HTTP
+-   AMQP 0.9.1
+-   Cassandra
+-   Mysql
+-   PostgreSQL
+-   Redis
+-   Thrift-RPC
+-   MongoDB
+-   Memcache
+-   NFS
+-   TLS
+-   SIP/SDP (beta)
+
+### Common protocol options
+
+The following options are available for all protocols:
+
+#### `map_to_ecs`
+
+Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
+This will rename fields that are moved so the fields will not be present
+at the root of the document and so any rules that depend on the fields
+will need to be updated.
+
+The legacy behaviour of this option is to not remap to ECS. This behaviour
+is still the default, but is deprecated and users are encouraged to set
+this option to true.
+
+ECS remapping may have an impact on workflows that depend on the identity
+of non-ECS fields, and users should assess their use of these fields before
+making the change. Users who need to retain data collected with the legacy
+mappings may need to re-index their older documents. Instructions for doing
+this are available [here](https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-reindex.html).
+The pipeline used to perform ECS remapping for each data stream can be found
+in `Stack Management`›`Ingest Pipelines` and and searching for
+"logs-network_traffic compatibility".
+
+The deprecation and retirement timeline for legacy behavior is available
+[here](https://github.com/elastic/integrations/issues/8185).
+
+#### `enabled`
+
+The enabled setting is a boolean setting to enable or disable protocols
+without having to comment out configuration sections. If set to false,
+the protocol is disabled.
+
+The default value is true.
+
+#### `ports`
+
+Exception: For ICMP the option `enabled` has to be used instead.
+
+The ports where Network Packet Capture will look to capture traffic for specific
+protocols. Network Packet Capture installs a
+[BPF](https://en.wikipedia.org/wiki/Berkeley_Packet_Filter) filter based
+on the ports specified in this section. If a packet doesn’t match the
+filter, very little CPU is required to discard the packet. Network Packet Capture
+also uses the ports specified here to determine which parser to use for
+each packet.
+
+#### `monitor_processes`
+
+If this option is enabled then network traffic events will be enriched
+with information about the process associated with the events.
+
+The default value is false.
+
+#### `send_request`
+
+If this option is enabled, the raw message of the request (`request`
+field) is sent to Elasticsearch. The default is false. This option is
+useful when you want to index the whole request. Note that for HTTP, the
+body is not included by default, only the HTTP headers.
+
+#### `send_response`
+
+If this option is enabled, the raw message of the response (`response`
+field) is sent to Elasticsearch. The default is false. This option is
+useful when you want to index the whole response. Note that for HTTP,
+the body is not included by default, only the HTTP headers.
+
+#### `transaction_timeout`
+
+The per protocol transaction timeout. Expired transactions will no
+longer be correlated to incoming responses, but sent to Elasticsearch
+immediately.
+
+#### `tags`
+
+A list of tags that will be sent with the transaction event. This
+setting is optional.
+
+#### `processors`
+
+A list of processors to apply to the data generated by the protocol.
+
+#### `keep_null`
+
+If this option is set to true, fields with `null` values will be
+published in the output document. By default, `keep_null` is set to
+`false`.
+
+
+## Network Flows
+
+Overall flow information about the network connections on a
+host.
+
+You can configure Network Packet Capture to collect and report statistics
+on network flows. A *flow* is a group of packets sent over the same time
+period that share common properties, such as the same source and destination
+address and protocol. You can use this feature to analyze network
+traffic over specific protocols on your network.
+
+For each flow, Network Packet Capture reports the number of packets and the
+total number of bytes sent from the source to the destination. Each flow event
+also contains information about the source and destination hosts, such
+as their IP address. For bi-directional flows, Network Packet Capture reports
+statistics for the reverse flow.
+
+Network Packet Capture collects and reports statistics up to and including the
+transport layer.
+
+**Configuration options**
+
+You can specify the following options for capturing flows.
+
+#### `enabled`
+
+Enables flows support if set to true. Set to false to disable network
+flows support without having to delete or comment out the flows section.
+The default value is true.
+
+#### `timeout`
+
+Timeout configures the lifetime of a flow. If no packets have been
+received for a flow within the timeout time window, the flow is killed
+and reported. The default value is 30s.
+
+#### `period`
+
+Configure the reporting interval. All flows are reported at the very
+same point in time. Periodical reporting can be disabled by setting the
+value to -1. If disabled, flows are still reported once being timed out.
+The default value is 10s.
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Event timestamp. | date |
+| client.bytes | Bytes sent from the client to the server. | long |
+| client.geo.city_name | City name. | keyword |
+| client.geo.continent_name | Name of the continent. | keyword |
+| client.geo.country_iso_code | Country ISO code. | keyword |
+| client.geo.country_name | Country name. | keyword |
+| client.geo.location | Longitude and latitude. | geo_point |
+| client.geo.region_iso_code | Region ISO code. | keyword |
+| client.geo.region_name | Region name. | keyword |
+| client.ip | IP address of the client (IPv4 or IPv6). | ip |
+| client.port | Port of the client. | long |
+| client.process.args | The command-line of the process that initiated the transaction. | keyword |
+| client.process.executable | Absolute path to the client process executable. | keyword |
+| client.process.name | The name of the process that initiated the transaction. | keyword |
+| client.process.start | The time the client process started. | date |
+| client.process.working_directory | The working directory of the client process. | keyword |
+| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
+| cloud.availability_zone | Availability zone in which this host is running. | keyword |
+| cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.instance.id | Instance ID of the host machine. | keyword |
+| cloud.instance.name | Instance name of the host machine. | keyword |
+| cloud.machine.type | Machine type of the host machine. | keyword |
+| cloud.project.id | Name of the project in Google Cloud. | keyword |
+| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
+| cloud.region | Region in which this host is running. | keyword |
+| container.id | Unique container id. | keyword |
+| container.image.name | Name of the image the container was built on. | keyword |
+| container.labels | Image labels. | object |
+| container.name | Container name. | keyword |
+| data_stream.dataset | Data stream dataset. | constant_keyword |
+| data_stream.namespace | Data stream namespace. | constant_keyword |
+| data_stream.type | Data stream type. | constant_keyword |
+| destination.bytes | Bytes sent from the destination to the source. | long |
+| destination.geo.city_name | City name. | keyword |
+| destination.geo.continent_name | Name of the continent. | keyword |
+| destination.geo.country_iso_code | Country ISO code. | keyword |
+| destination.geo.country_name | Country name. | keyword |
+| destination.geo.location | Longitude and latitude. | geo_point |
+| destination.geo.region_iso_code | Region ISO code. | keyword |
+| destination.geo.region_name | Region name. | keyword |
+| destination.ip | IP address of the destination (IPv4 or IPv6). | ip |
+| destination.mac | MAC address of the destination. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| destination.packets | Packets sent from the destination to the source. | long |
+| destination.port | Port of the destination. | long |
+| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
+| event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
+| event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
+| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
+| event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
+| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
+| flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean |
+| flow.id | Internal flow ID based on connection meta data and address. | keyword |
+| flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long |
+| host.architecture | Operating system architecture. | keyword |
+| host.containerized | If the host is a container. | boolean |
+| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
+| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
+| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
+| host.ip | Host ip addresses. | ip |
+| host.mac | Host mac addresses. | keyword |
+| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
+| host.os.build | OS build information. | keyword |
+| host.os.codename | OS codename, if any. | keyword |
+| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
+| host.os.kernel | Operating system kernel version as a raw string. | keyword |
+| host.os.name | Operating system name, without the version. | keyword |
+| host.os.name.text | Multi-field of `host.os.name`. | text |
+| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
+| host.os.version | Operating system version as a raw string. | keyword |
+| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
+| method | The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). | keyword |
+| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long |
+| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword |
+| network.direction | Direction of the network traffic. When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword |
+| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip |
+| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long |
+| network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword |
+| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword |
+| network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword |
+| network_traffic.flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean |
+| network_traffic.flow.id | Internal flow ID based on connection meta data and address. | keyword |
+| network_traffic.flow.vlan | VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. | long |
+| network_traffic.status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword |
+| observer.hostname | Hostname of the observer. | keyword |
+| observer.ip | IP addresses of the observer. | ip |
+| observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword |
+| params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text |
+| path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword |
+| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
+| process.executable | Absolute path to the process executable. | keyword |
+| process.executable.text | Multi-field of `process.executable`. | match_only_text |
+| process.name | Process name. Sometimes called program name or similar. | keyword |
+| process.name.text | Multi-field of `process.name`. | match_only_text |
+| process.start | The time the process started. | date |
+| process.working_directory | The working directory of the process. | keyword |
+| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text |
+| query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword |
+| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
+| related.ip | All of the IPs seen on your event. | ip |
+| request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text |
+| resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword |
+| response | For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text |
+| server.bytes | Bytes sent from the server to the client. | long |
+| server.geo.city_name | City name. | keyword |
+| server.geo.continent_name | Name of the continent. | keyword |
+| server.geo.country_iso_code | Country ISO code. | keyword |
+| server.geo.country_name | Country name. | keyword |
+| server.geo.location | Longitude and latitude. | geo_point |
+| server.geo.region_iso_code | Region ISO code. | keyword |
+| server.geo.region_name | Region name. | keyword |
+| server.ip | IP address of the server (IPv4 or IPv6). | ip |
+| server.port | Port of the server. | long |
+| server.process.args | The command-line of the process that served the transaction. | keyword |
+| server.process.executable | Absolute path to the server process executable. | keyword |
+| server.process.name | The name of the process that served the transaction. | keyword |
+| server.process.start | The time the server process started. | date |
+| server.process.working_directory | The working directory of the server process. | keyword |
+| source.bytes | Bytes sent from the source to the destination. | long |
+| source.geo.city_name | City name. | keyword |
+| source.geo.continent_name | Name of the continent. | keyword |
+| source.geo.country_iso_code | Country ISO code. | keyword |
+| source.geo.country_name | Country name. | keyword |
+| source.geo.location | Longitude and latitude. | geo_point |
+| source.geo.region_iso_code | Region ISO code. | keyword |
+| source.geo.region_name | Region name. | keyword |
+| source.ip | IP address of the source (IPv4 or IPv6). | ip |
+| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
+| source.packets | Packets sent from the source to the destination. | long |
+| source.port | Port of the source. | long |
+| status | The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. | keyword |
+| tags | List of keywords used to tag each event. | keyword |
+| type | The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. | keyword |
+
+
+An example event for `flow` looks as following:
+
+```json
+{
+    "@timestamp": "2023-10-16T22:40:20.005Z",
+    "agent": {
+        "ephemeral_id": "005dde79-7459-4b47-ae00-972086b4f5db",
+        "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112",
+        "name": "docker-fleet-agent",
+        "type": "packetbeat",
+        "version": "8.6.2"
+    },
+    "data_stream": {
+        "dataset": "endace.flow",
+        "namespace": "ep",
+        "type": "logs"
+    },
+    "destination": {
+        "bytes": 64,
+        "ip": "::1",
+        "packets": 1,
+        "port": 8000
+    },
+    "ecs": {
+        "version": "8.11.0"
+    },
+    "elastic_agent": {
+        "id": "f923dfe0-3acb-4f62-9ab4-1fabb8e8e112",
+        "snapshot": false,
+        "version": "8.6.2"
+    },
+    "event": {
+        "action": "network_flow",
+        "agent_id_status": "verified",
+        "category": [
+            "network"
+        ],
+        "dataset": "endace.flow",
+        "duration": 73561,
+        "end": "2023-10-16T22:39:45.677Z",
+        "ingested": "2023-10-16T22:40:21Z",
+        "kind": "event",
+        "start": "2023-10-16T22:39:45.677Z",
+        "type": [
+            "connection",
+            "end"
+        ]
+    },
+    "flow": {
+        "final": true,
+        "id": "QAT///////8A////IP8AAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAUAfeMg"
+    },
+    "host": {
+        "architecture": "x86_64",
+        "containerized": false,
+        "hostname": "docker-fleet-agent",
+        "id": "f91b175388d443fca5c155815dfc2279",
+        "ip": [
+            "172.19.0.7"
+        ],
+        "mac": [
+            "02-42-AC-13-00-07"
+        ],
+        "name": "docker-fleet-agent",
+        "os": {
+            "codename": "focal",
+            "family": "debian",
+            "kernel": "5.15.49-linuxkit",
+            "name": "Ubuntu",
+            "platform": "ubuntu",
+            "type": "linux",
+            "version": "20.04.5 LTS (Focal Fossa)"
+        }
+    },
+    "network": {
+        "bytes": 152,
+        "community_id": "1:5y9AkdbV9U8xqD9dhlj6obkubHg=",
+        "packets": 2,
+        "transport": "tcp",
+        "type": "ipv6"
+    },
+    "source": {
+        "bytes": 88,
+        "ip": "::1",
+        "packets": 1,
+        "port": 51320
+    },
+    "type": "flow"
+}
+
+```
+
+## Licensing for Windows Systems
+
+The Network Packet Capture Integration incorporates a bundled Npcap installation on Windows hosts. The installation is provided under an [OEM license](https://npcap.com/oem/redist.html) from Insecure.Com LLC ("The Nmap Project").
\ No newline at end of file
diff --git a/packages/endace/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/elasticsearch/ingest_pipeline/endace.yml
new file mode 100644
index 00000000000..4aeffb2b45b
--- /dev/null
+++ b/packages/endace/elasticsearch/ingest_pipeline/endace.yml
@@ -0,0 +1,52 @@
+---
+description: Endace Pivot Field.
+processors:
+  - set:
+      description: "Set IP Conversation if both destination.ip and source.ip are present"
+      field: _conf.ip_conv
+      value: "ip_conv={{ source.ip }}%26{{ destination.ip }}"
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+      tag: endace conversation set
+  
+  
+  - set: 
+      description: "Set IP Conversation if either destination.ip and source.ip are present"
+      field: _conf.ipconv
+      value: "ip={{ source.ip }}{{ destination.ip }}"
+      if: ctx._conf.ipconv != null && ctx.destination?.ip != null && ctx.destination?.ip != '' || ctx.source?.ip != null && ctx.source?.ip != ''
+      tag: endace ip set
+
+
+  - date:
+      description: "Convert Start time to Epoch"
+      field: event.start
+      formats: ["ISO8601"]
+      target_field: _conf.event.start
+      output_format: epoch_millis
+      if: ctx.event?.start != null && ctx.event?.start != ''
+
+
+  - date:
+      description: "Convert End time to Epoch"
+      field: event.end
+      formats: ["ISO8601"]
+      target_field: _conf.event.end
+      output_format: epoch_millis
+      if: ctx.event?.end != null && ctx.event?.end != ''
+
+  - set: 
+      description: "Calculate timedelta"
+      field: _conf.timedelta
+      value: _conf.endace_lookback * 60 * 1000
+
+  - set: 
+      description: "Calculate Endtime + additional lookback"
+      field: _conf.event.end
+      value: _conf.event.end - _conf.timedelta
+
+  - set:
+      field: event.reference
+      value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
+      ignore_empty_value: true
+      tag: endace reference url
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
\ No newline at end of file
diff --git a/packages/endace/img/endace-logo.svg b/packages/endace/img/endace-logo.svg
new file mode 100644
index 00000000000..ba061f239a1
--- /dev/null
+++ b/packages/endace/img/endace-logo.svg
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg id="logosandtypes_com" data-name="logosandtypes com" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 150 150">
+  <defs>
+    <style>
+      .cls-1 {
+        fill: none;
+      }
+    </style>
+  </defs>
+  <path id="Layer_3" data-name="Layer 3" class="cls-1" d="M0,0H150V150H0V0Z"/>
+  <path d="M138.83,82.38c-9.81-10.13-21.9-17.77-35.26-22.29,2.82,6.75,3.93,15.09,3.93,24.44H59.68c.81,11.15,8.6,17.47,19.76,17.47,8.71,0,16.24-3.23,22.95-6.99v14.64c-6.58,3.63-14.1,5.5-23.78,5.5-22.83,0-36.12-13.16-36.12-35.86-.1-6.62,1.26-13.18,3.98-19.22-13.38,4.51-25.49,12.16-35.31,22.31l-9.07-8.83c18.9-19.56,44.89-30.66,72.09-30.78,.14,0,.27-.02,.41-.02,.05,0,.09,0,.15,0,.09,0,.16,0,.25,0,27.49-.09,53.82,11.03,72.92,30.8l-9.08,8.83Zm-48.52-10.21c-.53-8.73-4.56-16.25-14.64-16.25s-15.17,6.98-15.99,16.25h30.63Z"/>
+</svg>
\ No newline at end of file
diff --git a/packages/endace/img/endace-screenshot-1.png b/packages/endace/img/endace-screenshot-1.png
new file mode 100644
index 0000000000000000000000000000000000000000..3958c77942d9614cd56d555bdba5cc94404564c0
GIT binary patch
literal 10982
zcmeHtX*|?x|L`>iGsMi;vLptjh3rHzGnOch<W#mCMv5Y`oJwMhI7o_4n=NZm_9a`{
zE0ke4m@H*Uj4T-q8f(uro%{dX&-2_b{`ZUL-T(f*;Pbn#@BX{K>oqry9kmb^lo12~
z2p>6Y_A3CqL;#R>Xnwe|a(@?Gz=I=Z#wUVO=ROYHRyx?J*5#)#^5gzT$-WvD6jt*b
z{#gYTnVQmY#o^auy`Bc%LlE&l&;KL~aOU*Z5L4rn20De;rTSxSFiEO!zYw2fqNQtE
zyh~k9`~VgJoy?b%Sz7f}Fd{>03<X{*_ex!yPuy|@;053-ZRdx!nU5a?EC3!2Ul(_c
zI`rgUm5c+8q-HEQXWG~#LTB7O#tRPMD4<c(1QRS83rHxq7j(4CSlmPeRFgOe5GHV-
zZL0f)L=0%e!achkQyE&}Xt0i72N?&9QR@_JqykVq#6ggBn=wK3IUIPPxDN0K-B8cR
zE~CL&0U~HK??<?!O~Gzc2=#k2CdOEbhvWo_Wr<uSVO&Q}8lyobgo`1KB5G<Rcu42q
zo(JwS$;bB(fQw}zskXdwCCXJMAn_=qpx%rb6@f2O+!rez>?j)Io1%%J+Hw@}9FIn1
zY=ioGq7A8Oyb3^P=Q<#(hodwi@VwOaNO@4J$O4KYk-(2jIGtCH#D5(JE{jnB>&O)1
z%uY07bmthVaS(3kreCr~^E8G*q#2PQpyIcUm-++pVJIvDI|%5I%0g!7g`*m;P_`mV
z@M9>FwF#E`{sTY4AqMVX;EsWB1Q6e~4%%#{5M5D2cyI{n86X-27AN%3B!y-y)j3iQ
zxC<BqLHHFu;}=0<yUl4J3dMQ7lLcbl`rxQ%ApZrl5eUFt2RjtjL5%4XBH=EM7q1WH
z41pYFBJsc&(w!6u2ECu-vw3)x)`1k{Sc0iC20V~(oB|6tq~LhTicm;b6D+6~y$*hX
zpKuD&YE&`7QNtk<9|0qvZ-VC0phD?|Gf}`EZ43^GQh>A4BFNaOfF_~BJcxjF`Z^W_
z*IZndrh0r>2l_{~1siw!UI#jmUO(j8s0!(AS)b(_HL{OK#57ZQ{jR6T1NwOlL`>U0
z95n*6YJjZTNNAptyDa3WJY*#eO)$*bPXwEyAt2#VgDoE`l7)15WG+JWn)L=m&cK$E
zy|)w=FHNl0eHSZYAD5!4N6I&P$>wD|a*58f|M7CzP2U_66d+P7^mUqaMKCtR^rmaV
zYiMKY6Syd$FWY1wjXBbc)1R!L2&zIPL&feJ@HY7mU=O*by9!fVKky(PK+EL?OohAe
zmAg(L-VFxv0>;#{Xd=~1Hh|o45@TqB3+k|OqkfB&CrMy*OGfgdWfjnd%&q8SgXz#G
zyQmRDvw=gh7b-jS8&#H1Wb7D2B@Bf2JZ^HqtTjlB1<^JI?~Qw^lkAeU`dbk{bcuh2
zGuOrWcfabu;<t^MH&HOEYtkw~o%LHD!(*e>9nwVD%z0zbB9z9SKqe%!kZq(_d}{`c
zu1fmX-_N#^ESs@-txS~cc-Qdl(n#hkopb=M?6sDdWmcNVw}`ux+au3I`Ok%<@V4q_
zd_Nm9rn{z>aGiyWF=NA(#CW&VF{5kxI7m9iqzA4f#GkDlGpZs{OQ3x($ULdw42k<l
zy)uYfGZ<c5>VF^ZM}UW*M5m+sK)qZDZA}+*=S<)T1%;m`g{B7<cpwxYJ87Ld?=IG_
z-9E=(IdKZGEoJp|))w+!;x&YM&lKbGkhA~%+v*mw-0f?2YkhIL{cGW0;88N~=JZy6
zA3eQ2mFXvSa~pnc#qk#(3P17}=)>k+uNjZSx3@Z!%MfoqYp0W`d*C;?DD&Q_NT-0&
zY=9B)ui5aYC7Biv;dN{Hc!Zc2DWHzC>w@<}N=Ojxn&#~TC*lbRsg@3G2CCy1VT?38
z3CZd3NpM;h;+JZMt2?WVyrvfB@-F$Oz9Pv@dNnXA8hsLE7O|u&&DabHYby#y#4qiN
zr`nG*zQVx*8QY*XPF)3`bw6d0LuHu&#awxKI)JS$m9b?%k(#gb&|oD>M~(gG!<r$_
z-uleWi3v{)QlKvdc%HWm2*3fmapl7<zTu#wdIgc18BX(L?9X7l(@b7pr@1+AsvSPM
zERq2Ox!*nI9g?>QxbE3HGauR;sCYZ{t$wSXJJC^uU2MBnpX1u)th<TMP!Ii%4lEgK
z?S|>DfBW2*s+!ejlU7~@a^V-bq9eU<evqvlR<QfiW>(rH&VLRxLBFuqkt{v`mx9{7
zhwrp^$R-Bu7t^qUFw9Dd*=K6%D?Inmjo@~2Q~5A=tK?>ie4~v_ZFPv4KuwVA%&{={
zo|oVvq*APd)ja=VMyt3$ZKyt5uJyjpK19UIz!uh#9-Iw>f5?d^j~$qpNMI_>YzqAT
zc@i~>je7IgKSHLqy`n}y^lm*r2c{739@*E~cU+>cMjhz=8nme2xW5_e@Gu9z^_F%?
zp5@w|19DbRD)^jttW$N*^M87}HQ3=)<8)r%((J5NW2Fy-y`zlh?^qb5Z8*`sC-<)C
zuZL>G9JZx&p*2&Q-ys^e0~3l<{RJ{A8EDNw@CRM^Bh+#u-tCVHenb2^b@jqGcA;pn
zgZElN$yQEBZMo0PEUJ5;m~7mPecCZec&IE%wV1`SzuX~f!j<+M!o!@c)GLwrz%Td7
zFqS`k>p_S&-%8D%-Nv3uB8$M4R%Jr#bY}FWD*8Kb-eJeO+XeOUw9l@uBlyt7jIG<g
z%O;;BV=Jy3MdI00*%=yRsNT_SHw|>2g2mHeNv1?Tm@e?dl*J$zvdv3IXqi>luSd!!
zq;y<0wBGIMc(BoNx-}?Rb+<VOadqHc>$ka~K!##hZ1A_#&~t_}B7!0m(owzfQk@iF
z=4K;fMdv$&CgSB&So-y6kxs{tpKIFGc`&>MrXG@--iW`>ePHHUEMtM?e+$`SQ@%>o
zTO;veYYhEh&BM@Y2K^UWyA1!jS;4oM(;1h!E8=maJTBe3k~ot5$TO6u@R<s8fZkGK
zuAnf6dhHQ7XLA=#(p|3HTs)T$$3lK8d$v3=qzU$x)0cAXBg`P~-Hzw#9e9vm!d!ad
z8L<Pd#9KdCw}vbJTOJp$<%C7BxUq(H>sGnEwY>J#s&KS#N^oyaXwOBGgD-_7n|z0&
zqZsN?4p#cb*2?yq9BanLG?@=Xd)EVl0m-#8;_}%I6Ikvf()kCXb1(o#!{zLT2y&#n
z#=~2s*bZ4RJH8cN!aIhdDRIu(AW?wXPaNu*F~&ojS04RoIl`c*^kHQ#GXf8z4PUY@
zIQJ?|@E$yY20B}PI7wT;bI&lJR(%s3L}>L0y0w6$*3VYFmm;FgIEcUjak{22dqr5g
zE9HP#gwc1|asDPWkxWP#*KFAWTE1x~y2nZILTXYM{+vHw3&?6~tZOak>!MIMy>@1t
zFnCS2p>+0>$WXC2IV&le2&%(u2TUYrSo|#X8~)JT3UGJRvp3yk@d#-3=c~$jnLJck
zyOCo1AL|KG(CkjSz+pifN%F}5`Z1s4d-w=MEPP&CwCIS)__J@B)kjc=sRp9-lkGWi
z;Ml<4Yb$%x#Vq03k-NWt@Ljqvu={nx^W}ZwwtLF!ROh|E)e=N8;Pb(g2y#z;7*U}p
zJ3v0)o|P@w{qR5oJNxtL#fy&QBhA>hJ!|}_8!HHE=-$~C2?A2p2A<QiA7jc1`+?ul
z$vPst9O(*AWYvXj0hLTXFxbXGa;~b0E3H%4%P!Cy)5O4(l9hVGgh4nmQvR6fqV<7Q
zHUhYtHQ0)*3{bbgHH+Sk1Ji*Bz&4x3DiXxHVBzI;<N0}uA08->sPbz%?u#Q81L15U
zI}SE$1F&#tN?Oqn*_8z0l51{w;{jD^aUVCrKlN_$C<+Ilv#SdHCP2)nyp!^Rp9fT%
zjPU#p1zI(~@Kpv4GWbHbbp63XGP(lqz9#{&@5?FbWTbq_ZMl>>2t8#y!UHQ#YQ^&p
zi@G>KvRU1lAw7mF$bB<e3~8G~+Sc#@SlcH9VP2r|XFXpvbgY>JJwoT8B+`rf8h64l
zHgqS4ghVt7eILM*q*k|%>WraEat*p5JCUhV)Z;KOSJwH8>OlHC;4X|BtS`3Z8IZo>
zUsWI)2K!=Po6R2pbVKNmTo1zCo<x8)sLAZ7Nfhj(j=^jX|LwMh1wH`qv%<f?5*D5C
zfyEO1OZ^L0X#kMU!&1Dnx`VsZKjXfP1dTkAhX4?(S^0M`0my)|1J4!asqZi8kO=ku
zzfk`N%s+%`VOiK9fU?N{7NxqGcx4M91wlFfAIOEDkg&Ri4_D~wck)Jj0MBI@H<7Cj
zK*YcBlA_zV0>BR|zpm@VU_n4~_$OJ~*iRf--~U7V=bz>wZQP&GRFexml7Nc%r%4jq
z=dgg<2^XG!{t0!P3l+GA1Q|+@|KG|`8S9G^vQ?1afq&|Q$NXIQr`S_XBOCg3F1Z#+
z4i^u2K?V$<|3$+E(vabz$Uqt-XC54&@<X`A&&#csxGy)kLOJ`7ME(wVVZ})0$g19W
zH^__UgCy!!zF2L;B$<7xM1f~eF+4Wf+CwZDBye>K@MoRj&x9M$N>WWWu7d&Sv*Pf5
zCl_!R>epb=U~ueb^Yvl#9DVE_12!r!@B!)v*%RlDrw~7nhIznRHa6O>6T)(%DCivp
z?IJK)aeF|rP8D(0KXGC^Bx(gsPTGg5G*ny!WbT>r@LS7Pk9H=&K7c$_`Lmt<ec|e;
zgifJFKLQY8Nz|x{nQ+%f7r)vEJ5pGmfv5C+39u~#tSHz`&^~Jr9+(Df|K4GZ1^uw>
z0S-4$;cEmAf>Ev<<sbD>FQg;!SA&RP6gEAez#1)jw-E_spdh&LA$hid@gy4qNV}jc
zqbdq*4m?;O1#1P8xNq2NMcyy12T;@|Xj(HxaDzD$f;Q<a%|Vd0Af=Lr_%rfuD8Oy9
z@bJq7;3C)E>v%|hkdmS(_4BvDqP%DYhBDXz0f1A!XcXE2WN=$>+nNpA*7B=yxL5~w
zPy*n}9RZS;b`@yEar-LxkZd54tedPJH2B#ACWOP&K<(jv;=f(7%nu$hZUg{l6afNo
zeIE><NdV}>bVD+S2jXWd3&FV_(e`c*dd+2ca1xTZgsQlBySR9;#RU>vydX=6C&9&&
zgO)jVgA3*g!A>Y~!MKgIga8EN#KUGej~5TXg&`O%GV~BoLMZDyF)9G6Fc&onayPfY
z5K<xt_ZqVxjRG^k1Gs%L$QR*)!78OO))%&+fGiDh?UW%42iR*;`?xG(Aug4B__+?e
zJ~0n5#9`e}o#zsM0}tisen^<xGlL)+oeUA64>fvoec&@>#!5Q{;ch^!$wb(ZP1gM#
z31pcWs4xLu#9?C?>X`bAr3Yr@sXE-42zGqG3Tkaa1*I(DVLkxsa?&<T<Oyb_7&y<3
zZgbUqCUB$yEFl}xH4|JJbR4cffK`#}3AehC)ITBDu5?`F6xT7JQK<g)avFRJG-cM`
z`X#>d!Fj-zyhIi%MBB;h#v2YD0cuGSqKKM$^I!po2zOp9p~qC=4y-@{wVzj^R*40u
z`yuUwXndp%gwp4ZVGIOJ7>cuioAW@z2tA@yV+YX<1$4L$862swf<E|n<mufdbmLGL
z;%Dq58^vQrc<vB*w*wqBGw82mM*p7Kc8v!Exa9+={WeW*u+&ie@V5mU9W6}44;$am
zK!U9>;R$^Ge%KRG6?ieAQRn|WpZ|9l{<pKpf6)FV9sS27|Gi1(eij{-K0|YtQ#R1+
zm(w=@@#FlJEqp+q2BZFeO!(iM@ZYQQ{y$rCS(7`!zWlO-5;^=;_(#<=mQgq1x39Fm
z$V+oH6IHX6yf>$BG|~lmU%cpiolCD4l9Ba5!i5<B*yVWf<hAgt7mTh<pyGlf<<0hg
zid>p*$Sh%7(wA0d!-kUMvaf`e@dtU@39fu?@V+&v=l<K=%0(ypwYX&BhV~aUF=odn
z`?v9FM~q$VBXw8V(gm&linJe<p<x(y!|mNO7qQno)f^cQNSx9bcCNj`jxkjEA=UnQ
z{h-&$Rl|X}FXe>OM$2b6lN4589DL<;>&ag-r{*#q`G2)bQG&ghhG|RIMw~}cPJ#C#
zyQc8Xj8+k1X?Jnl%$%V2rQ0VNj(riApR625CYo@X4&RSmRua5QImvj6`<%L$-QdF@
z@!w|*Ni28P7nFanOC+vIyh0PD-2Q0ZxNDMT)u-#V{p;~dn^kl3p4vbBPq=vRd+Ipn
z;9XOwA2uBJLX6VY6Z^;7u0IUxB^b|;tiXJzmLsyfprpmA+=E^|9H0%s;LNrwqIo05
zM2_w?(<`&?Td^{t=S_Yr@!lTGn58hBeJAJl&l5W~k~YA-fD!TeD{=IY{NkSb#I@YM
zR`L>kq-T2RiKP2#s_w(|m1`X`xv+;R+-<qG=M!7%dxPC})ci29C3By5KGA(WWudJj
znb6|kpTvsTDxMt}H{{T=_Oh?Vy@LKSy5*&?yZ(cP<*#xgOS{A-=ViUqts>=}Gr@13
zLaiDt@r7Dy`5~R<aoB-^S`Yip*^`N{X5tj!yh`7y`+R%Qvik+sd;+15=&I6k<AR-Y
zxe8^{GGwgpLFs2$`FQTu3zd3bsUy91Qg#<REOkLK<s_pZ_(A&0%&Y2v7*<5Kcv5}b
z#ceGM)t2sdU&`Y=X4`UBlM6Rj?8ulkt@>Hz^-=VjvqIxERfgP<$Myu9KHXDGfrYPS
zZ@Z-q9O5*&#J+>N7`j*Ku}7l(ccgfER}L~A?-<Co2eBWpB8<fE!l|f#%j^r9d*aG~
zl2+Q8<7YeUR%BJQqXVU`xQJ3%w-vP>E{xC}D(?ELY7?||KfuCc<V-Q&K)QUOe#!!K
z&lswBx145T^!K>#K^pN`xD$gBNB&C|jz)tHbDFec`5hhdL#6ET`Eg4s<J#;;261mf
zST|V_7UDO9Xaa_lA3@pi)(q_Y))6$3bL37;`v(oDMP12_73$SqlzG`OcPjAtbRZu!
zRBJX#I_=JTn%jlRXn2dkvGfO&SSQIWf@Gu1v;$>Q1I2#L9ina8iht9vFX%i7W+f_I
z%tF<uWw7R`%|3#n&d=VeNmS=n>m>BR&8EJvR-<ud!^ObOjo`$6<7<N1&xa*zFT!uK
zzLz$3KiGDRT@I^1$D8);{PQzE>~a=xRN9i)tahQ&>C&QpZ?lcC#gVpZjMCgg>DKu?
zBlnSD=PcTl9l=b83aUV){28sX?)DRHU*@L<^8?77y(X^`LWSfFv~ncgOSIA`sHzUa
z+dzAUXU^#UL3VA=OW!lXCJqTKcOOT=-Z&3+t3b&yl9OZn#Uok8dsfSf^cB5sRW0An
z*SFL5#h;XImGfAlcQY;KYvEDq?od0L{8D$x`3j@gK%%An#p&XKYa=3#j5MUpDecyP
zN$ZHInUJB$Vz#PoIN!>97luR~{$u6Jo3;GIbQ7Y|``=o0CF*?5^a6f6>wIcG<z)f;
z;ZlvovtNnXh269B*4}qo6#gn-KQR&d8NZ(xv)ijQF8DsZ%JF@NOv6*}*vlS8g+Ar=
zT2D_j6ux|+RnRj`m%93!#UuGpOlI{;X-?ar-Chfu;u|aazRRhdoAaKy8jm_rH(w<~
zWc<m^$^+BP<darqj1n7L=G}%Yx=k;$ebXi2IxFIE*4EZ^MM5qQ<><YdxNox0#m*m9
zGTKsMiuEeB`*CB?^K4SOD*cFmbNtfoVV^VCTqrm7qPx?W(qYbD>tX_>7n1DC2aN-s
z&{r*6WGa0o)gvwh-kZC+=P<{ZH`Z;N<F*3ntfHEy^f#0{OpR~lC#$CWi&tyPwJ(l*
zDIUC0SxK8a9VzeU@|>rWFnP;GtDsPb?(o*D%7~*j-t;cGLxF90mU8(|F-pPCPs*uv
zz$1+EsWfNvhC}(@l9m>Y&agw<P?siZ&IP`4pM17Y*9{i`9>3NO9dC3kpPYI#`04JD
z+?g{Sgq-5(SHbRrV<_ibDl_4HnwF7@0Ta55C)rv4l)tmq_GJ6i^a7fMGk)E{;<>fM
zLR4*5pIE1D^pO7$a;nhj*0bfShhdfNvwO5ODLtf&SCz3fAxUQ0`9WyR3~fm<Ql3W6
zp0h&yP@4&EU;Xg;^drr8mfri?3AKNvp0U4Flt)p6X`w)&T{-m;55{|;)AZ=7B9%{o
zDAnPHz;C@I%^0r>vnEx_1=ho^?^x2LTCR|AOohLC=|KPlGr7M7;4}O)lXAyuX(MNq
zse~J|2-O=a%@X%xyO`cvG7DwM6uer)s2+j&MDG;zYH-^2AtDj>Q=s*PQRB%C=SJc%
z`@7=DG+o!O1X$^VqMN^;i~1!i(r|d}Q>1*H=#!^~XC`=j>n19`z2E~GVq+FQ7?D8z
zAk*LaM&_r}v38Ri{11MPfnp9h@ZEwFeXl&-Eqw$mFq>fLh;x%UpdRy0L6RgU{Zpsh
z_Z^N7{hIRqi7IShX0xRglc!L=0By=?LSux0Us?k4X=kA+%vQY;&w|W?AM{nfKqbV7
ziXB5`XhH+r$k?_2mWynC_%?b_&&@g!GI#PsgZHvjV;E|{INA`eJg>~XHw9DlCPARQ
zstx($5e-Sqf;DB%)6R91eZya};EfSDXTuf(;oPCkphz(8#wl;`gXsxpKR##z!0(3h
z^eRj3uS5IJwI8fVZ<s-FuRP$054Lh79@t1y19@RP1uq)GsD2X)?0{1Xpl{AXfVW(V
z%VHsbWWogt<$~Sgf*EnaxP}U{=7K?LR0~-Sf~xhir6iF}GUk0Hf6U)vI((m7O-0;;
zO&tg-_-6buT#EXHOVms3_r*&?UZ}G_2QBc5wDtYn4Gr%)o<>P7CmHU5<EKC`FH{j=
zXUU3UMTqE}1zl+y64T!(rtaKU%&Ki!SVkk-T>bX_nafdh%22KP>_azei_u5d;pYb6
zs(uEdQ2^5GZ>`FuJuu?1FbIuXtn8v$VNnpbb;Zxu74@@~1f>FmPd5n`cOs1Bv^~2L
zp^6;KSKF-?O?AOz{5n~@LkHX$$OYW12{6l~(hmEEHaZL&?1ocI(heDVP2|DF(>@)Z
zm~Wb%@Z@Dzo{L8F$%5q@mC@`p10))PfmU=tctNi^*%8V^9%2y03)crMH0u4*zN6qw
zOCuS!qs1#LyhdN%xUe^kZJXm)#r^OpLYMLf$1(?*2*5GtGzleN01mIbu2G^`mxmZB
z4`*qT-0Nm)V4hC)Ndk(bB4VmqA)^MJ&=`RN=H>5OJt#lz9kcuNxwXT~uS}Pj(J^Jc
z>fdb3$9Tq2+IvR9vAaeD6nilhw<T7DQlR98sQSV)aJJChF@2j;$tIkv!(69-gd6BM
zn%~ubVE5jX86^BU7fM^M{d_ufBF}Zmqq9uYwe`y*I4W0+)dSrFx!<&|G#tW|(%utR
zJvWus9d7cZ-OUm<ICIse+>rUMtkagk{JJw>WGT*o_9nzAH*8XJ40UJsv5`H43G*!6
z#-m%CA&nu^W@?i&2RF2B1c(f=4Sc2p-2JWh`~K;`1&7L&cgwZ49)uq^h7Vp$SsB#Z
z&^`$3-E)1PDyErHu~~KP-D%NI1;tD)+0=B+;+ld3uB)E#*9`@G+RbY%6^=h2t5DUQ
z$=yAF=^isibz0^o;mUIHsutb9J#4$W*DcPT8RzX2u7uCxFejc=^NQ8$-Ot``@9q_I
zAlf!vB})~>v@fGonflMsU02FA8(U{l<m90Txj`X>+(|^+IdkFT-d;5qOP5JA-qyBj
zrM5Gg$LDK(7N%PqlUh<oVNMsl)Dvpa9W_&?`zSu{soOwn3{z3|OhGYwZ*Pf>$ZF|c
z_kmN9H3!;dds4ZXeE%n*KMcpKdE6JDx_NcVc+7<{B;!MVldOAx=ALe1-Id|W>W#n_
z|DCWvO**vqv!LGM!-_8<la|8yIvCqCPOjM|3993F4&~@x?xoW&o%J!7&z@yVeX)8?
z8$S$PyG)X0vv2=L?H@)|m0t1AsfC@?ihle1^)rto2=14IJ>l;G$U|PfujvH(aI=e#
zVMc81lAu%2qD$=%yVlC@=$pDJule=qFr*2NQX+Fmn(CRi{oLNr2bOt-<tGcZ;#ES-
zw=Q@tBXQ=DBO8d>Oc%t!Gk5NAhV#x`=uD<dH@r++T6|HL;X+b`?g6CeO*Q;%^bu|`
zhd`AbD~4Hax}CG>uIi-`pFri-eSY{YOM-1jx92w*n!uT3nr$P(At|&3JHDFekC^&}
z)1;zz8jq}qbtx#UjN8@cIF3tXMO+d0him_ZcB~n@eC&0&Q19O0lA=M4+iOy}GBhQ4
z4@Fi#B-=(R^lA^<JS$tINokcT=58p#I{A<+dArx<m6q|;wsCF~uKuC2-@TPEDZ(Q{
z@w=ypG0QcFHNCvH8pN52a}$OeIEvo`xRGQ2$aB_3n*h07jynrCl*K51f545&oI(E<
zZ~5`X<c0I}L<ZUQ`VH6{Jc&VeKeL6v?s4zkTb{@p*>8s^I7(NnA|XvPdZSjIZgA|8
z=ZAW2Id>_hOs|X7FC1g5SdLVSbmzkGy2md?+EL3-q~oq`pY#`+7aD>`G~+S7S#%{m
zq5W`E)J$(~Sns{db}sgeZs#hWj!X6(?{pvU*NufW@zfE8i>BRC%XS2fr+YREo);Ar
zW#4bf+rMGAeX>k=O%@9?y0HS$Vl1lOF5lYgos>#}iuaxz3C8eV+Ju3Zm^$1)q7Y`&
z9kpQh)EZh*;{E+g_e|eZyl)O|uZrrJAPh|2KLV=>Rt0I#q@bReZQ<J!r%pdDDJpo9
zx_IhRV*5z%PK+2uV<_*9b5m4xnY>-!!^E<=D-7Fx0}NNIKE}7aKt~_BBofDX$NigE
zpIr}a7_kaX<Bj_+o8<K?UH9}xg`@#_o52W!0T+g(RSNUd(<=r;igX?d;n(qb7H`y!
z8`~FTK8O*{IdIoC^3vJuh5MRiYMWO#)Yu`(Rxo2Hye-et&o5E=tE8w~I48I~N~Ecw
u;<buMLr9qiz2_kJ+UP&e|0D}sT*u0b=G}@5lsd{)`^cfAW<@6C>;DVdEpYV!

literal 0
HcmV?d00001

diff --git a/packages/endace/manifest.yml b/packages/endace/manifest.yml
new file mode 100644
index 00000000000..929632bf8ee
--- /dev/null
+++ b/packages/endace/manifest.yml
@@ -0,0 +1,100 @@
+format_version: 3.0.0
+name: endace
+title: "Endace"
+version: 0.0.4
+source:
+  license: "Elastic-2.0"
+description: "This Endace integration configures Network Packet Capture for flow generation and adds a pivot field to your Endace platform."
+type: integration
+categories:
+  - aws
+  - cloud
+  - custom
+  - network
+conditions:
+  kibana:
+    version: ^8.6.2
+  elastic:
+    subscription: "basic"
+screenshots:
+  - src: /img/endace-screenshot-1.png
+    title: Endace
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/endace-logo.svg
+    title: Endace logo
+    size: 128x128
+    type: image/svg+xml
+vars:
+  - name: endace_url
+    type: text
+    title: Endace UI URL
+    multi: false
+    required: true
+    show_user: true
+    description: "Base URL for Endace UI. Example: https://myvprobe.com"
+  - name: endace_datasources
+    type: text
+    title: Endace Datasources
+    description: Datasource within Endace
+    multi: false
+    required: true
+    show_user: false
+    default: "tag:rotation-file"
+  - name: endace_tools
+    type: text
+    title: Endace Tools
+    description: Tools within Endace
+    multi: false
+    required: true
+    show_user: false
+    default: "trafficOverTime_by_app,conversations_by_ipaddress"
+  - name: endace_lookback
+    type: text
+    title: Endace Lookback Time
+    description: Lookback time in minutes. Example 10
+    multi: false
+    required: true
+    show_user: false
+    default: "10"
+
+policy_templates:
+  - name: endace
+    title: Endace Flow logs
+    description: Capture network traffic via Endace Flow or Network Packet Capture
+    inputs:
+      - type: packet
+        title: Capture network traffic
+        description: Collecting network traffic. Use this if using Endace vProbe
+        vars:
+          - name: interface
+            type: text
+            title: Interface
+            required: false
+            show_user: true
+          - name: never_install
+            type: bool
+            title: Never Install Npcap on Windows
+            description: |-
+              On Windows, the Network Packet Capture integration requires an Npcap DLL installation.
+              This is provided by the integration for users of the Elastic Licenced version. In some
+              cases users may wish to use their own installed version. In order to allow this, this
+              option can be used. Setting it to `true` will disable installation of the bundled Npcap
+              library.
+
+              Note that if there is no Npcap installed the integration will not function, and versions
+              of the Npcap library other than the bundled version may not provide functionality required
+              by the integration.
+            required: false
+            show_user: false
+            default: false
+      - type: netflow
+        title: Collect Endace Flow logs
+        description: Collecting Endace Flow logs using the netflow input
+agent:
+  privileges:
+    root: true
+owner:
+  github: elastic/integrations
+  type: partner
diff --git a/packages/endace/validation.yml b/packages/endace/validation.yml
new file mode 100644
index 00000000000..9dcaa3b03ff
--- /dev/null
+++ b/packages/endace/validation.yml
@@ -0,0 +1,5 @@
+errors:
+  exclude_checks:
+    - SVR00002 # Mandatory filters in dashboards.
+    - SVR00004 # References in dashboards.
+    - SVR00005 # Kibana version for saved tags.

From c01b125993e35f1986d0b7c2a2c6ff52c854b332 Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Thu, 20 Jun 2024 13:59:41 +0100
Subject: [PATCH 02/23] Netflow tests complete

---
 .github/CODEOWNERS                            |   1 +
 .../_dev/deploy/docker/docker-compose.yml     |   2 +-
 .../system/test-http-get-2k-file-config.yml   |   1 +
 .../test/system/test-icmp-2-pings-config.yml  |   1 +
 .../test/system/test-icmp4-ping-config.yml    |   1 +
 .../test/system/test-icmp6-ping-config.yml    |   1 +
 .../elasticsearch/ingest_pipeline/endace.yml  |   4 +-
 .../endace/data_stream/log/_dev/add_field.py  |  48 +++++
 .../pipeline/test-netflow-log-events.json     | 204 ++++++++++++++++++
 ...test-netflow-log-events.json-expected.json |  17 +-
 .../_dev/test/system/test-netflow-config.yml  |   2 +
 .../log/agent/stream/netflow.yml.hbs          |   7 +-
 .../elasticsearch/ingest_pipeline/default.yml |   6 +
 .../ingest_pipeline/endace-netflow.yml        |  69 ++++++
 14 files changed, 354 insertions(+), 10 deletions(-)
 rename packages/endace/{ => data_stream/flow}/elasticsearch/ingest_pipeline/endace.yml (95%)
 create mode 100644 packages/endace/data_stream/log/_dev/add_field.py
 create mode 100644 packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 504e8f7d7c2..b6c6135f607 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -146,6 +146,7 @@
 /packages/elastic_package_registry @elastic/ecosystem
 /packages/elasticsearch @elastic/stack-monitoring
 /packages/enterprisesearch @elastic/stack-monitoring
+/packages/endace @elastic/sec-deployment-and-devices
 /packages/entityanalytics_entra_id @elastic/security-service-integrations
 /packages/entityanalytics_okta @elastic/security-service-integrations
 /packages/eset_protect @elastic/security-service-integrations
diff --git a/packages/endace/_dev/deploy/docker/docker-compose.yml b/packages/endace/_dev/deploy/docker/docker-compose.yml
index 645c7f1a81e..adbdde59baf 100644
--- a/packages/endace/_dev/deploy/docker/docker-compose.yml
+++ b/packages/endace/_dev/deploy/docker/docker-compose.yml
@@ -1,6 +1,6 @@
 version: "2.3"
 services:
-  network_traffic:
+  endace:
     image: alpine
     volumes:
       - ./pcaps:/sample_pcaps:ro
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
index 7d40f8b2d97..2cbfac50130 100644
--- a/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
@@ -4,3 +4,4 @@ input: packet
 data_stream:
   vars:
     period: '-1s'
+    endace_url: 'http://test.elastic.co'
\ No newline at end of file
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
index d185b5ac134..d288467b690 100644
--- a/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
@@ -5,3 +5,4 @@ data_stream:
   vars:
     timeout: '5s'
     period: '-1s'
+    endace_url: 'http://test.elastic.co'
\ No newline at end of file
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml
index af1d6962cbc..ac9dd427000 100644
--- a/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp4-ping-config.yml
@@ -4,3 +4,4 @@ input: packet
 data_stream:
   vars:
     period: '1s'
+    endace_url: 'http://test.elastic.co'
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml
index 4b6304198e4..be4ef69d695 100644
--- a/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp6-ping-config.yml
@@ -4,3 +4,4 @@ input: packet
 data_stream:
   vars:
     period: '1s'
+    endace_url: 'http://test.elastic.co'
diff --git a/packages/endace/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
similarity index 95%
rename from packages/endace/elasticsearch/ingest_pipeline/endace.yml
rename to packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
index 4aeffb2b45b..eb6cca3dffb 100644
--- a/packages/endace/elasticsearch/ingest_pipeline/endace.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
@@ -49,4 +49,6 @@ processors:
       value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
       ignore_empty_value: true
       tag: endace reference url
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
\ No newline at end of file
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+  - remove:
+      field: "_conf"
\ No newline at end of file
diff --git a/packages/endace/data_stream/log/_dev/add_field.py b/packages/endace/data_stream/log/_dev/add_field.py
new file mode 100644
index 00000000000..03f94518a03
--- /dev/null
+++ b/packages/endace/data_stream/log/_dev/add_field.py
@@ -0,0 +1,48 @@
+import json, os, collections, copy
+
+
+
+events_path = os.getcwd() + "/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json"
+expected_events_path = os.getcwd() + "/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json"
+
+with open(events_path, 'r') as f:
+    events = json.load(f, object_pairs_hook=collections.OrderedDict)
+
+with open(expected_events_path, 'r') as ef:
+    expected_events = json.load(ef, object_pairs_hook=collections.OrderedDict)
+
+
+# expected_events = copy.deepcopy(events)
+
+def process_events():
+    for event in events['events']:
+        if '_conf' not in event:
+            event['_conf'] = {}
+        event['_conf']['endace_url'] = 'https://test.test.local'
+        event['_conf']['endace_datasources'] = 'tag:rotation-file'
+        event['_conf']['endace_tools'] = 'trafficOverTime_by_app,conversations_by_ipaddress'
+        event['_conf']['endace_lookback'] = 10
+
+
+def process_expected_events():
+    for event in expected_events['expected']:
+        if '_conf' in event:
+            del event['_conf']
+    # expected_events['expected'] = expected_events.pop('events')
+
+
+
+process_events()
+
+process_expected_events()
+
+
+# Write Events            
+with open(events_path, 'w') as f:
+    json.dump(events, f, indent=4)
+
+
+# Write Expected Events            
+with open(expected_events_path, 'w') as ef:
+    json.dump(expected_events, ef, indent=4)
+
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
index 2507a856291..99ab16f813a 100644
--- a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
@@ -102,6 +102,12 @@
             "destination": {
                 "bytes": 0,
                 "packets": 0
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -206,6 +212,12 @@
                 "packets": 6,
                 "direction": "unknown",
                 "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -310,6 +322,12 @@
             },
             "ecs": {
                 "version": "1.8.0"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -414,6 +432,12 @@
                 "packets": 79,
                 "direction": "unknown",
                 "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -518,6 +542,12 @@
                 "name": "mbp.local",
                 "type": "filebeat",
                 "version": "8.0.0"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -622,6 +652,12 @@
                 "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0=",
                 "transport": "tcp",
                 "iana_number": 6
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -726,6 +762,12 @@
                 "packets": 39,
                 "direction": "unknown",
                 "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -830,6 +872,12 @@
             },
             "observer": {
                 "ip": "127.0.0.1"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -934,6 +982,12 @@
             },
             "observer": {
                 "ip": "127.0.0.1"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1038,6 +1092,12 @@
                 "name": "mbp.local",
                 "type": "filebeat",
                 "version": "8.0.0"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1142,6 +1202,12 @@
                 "bytes": 4965,
                 "packets": 13,
                 "direction": "unknown"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1246,6 +1312,12 @@
             "source": {
                 "bytes": 138,
                 "packets": 4
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1350,6 +1422,12 @@
             },
             "input": {
                 "type": "netflow"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1454,6 +1532,12 @@
                 "type": [
                     "connection"
                 ]
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1558,6 +1642,12 @@
             "flow": {
                 "id": "Vhs9T5k296w",
                 "locality": "internal"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1662,6 +1752,12 @@
             "destination": {
                 "bytes": 0,
                 "packets": 0
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1766,6 +1862,12 @@
             "flow": {
                 "locality": "internal",
                 "id": "Vhs9T5k296w"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1870,6 +1972,12 @@
             },
             "ecs": {
                 "version": "1.8.0"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -1974,6 +2082,12 @@
             "destination": {
                 "bytes": 0,
                 "packets": 0
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2078,6 +2192,12 @@
             "client": {
                 "bytes": 1487,
                 "packets": 21
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2182,6 +2302,12 @@
                 "packets": 17,
                 "direction": "unknown",
                 "community_id": "1:idwO/QHAjbcGlF1bfQE9dPuu7T0="
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2286,6 +2412,12 @@
                 "type": "filebeat",
                 "version": "8.0.0",
                 "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2390,6 +2522,12 @@
                 "ephemeral_id": "0a75cedf-6ef5-4932-8d1b-43b0d1b4739c",
                 "id": "508165af-d28d-4de1-bbb3-e81aafd32d75",
                 "name": "mbp.local"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2494,6 +2632,12 @@
             },
             "host": {
                 "name": "mbp.local"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2598,6 +2742,12 @@
             "source": {
                 "bytes": 1005,
                 "packets": 4
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2702,6 +2852,12 @@
             "client": {
                 "bytes": 138,
                 "packets": 4
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2806,6 +2962,12 @@
             },
             "input": {
                 "type": "netflow"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -2910,6 +3072,12 @@
             },
             "observer": {
                 "ip": "127.0.0.1"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -3014,6 +3182,12 @@
             },
             "host": {
                 "name": "mbp.local"
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -3083,6 +3257,12 @@
                 "locality": "internal",
                 "packets": 5,
                 "port": 53
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -3152,6 +3332,12 @@
                 "locality": "external",
                 "packets": 10,
                 "port": 443
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -3221,6 +3407,12 @@
                 "locality": "internal",
                 "packets": 11,
                 "port": 49180
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -3295,6 +3487,12 @@
                 "ip": "0.0.0.0",
                 "locality": "internal",
                 "port": 136
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         },
         {
@@ -3367,6 +3565,12 @@
                 "ip": "0.0.0.0",
                 "locality": "internal",
                 "port": 136
+            },
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
             }
         }
     ]
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
index 8b3f75a1aec..c4d15424718 100644
--- a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
@@ -3179,7 +3179,8 @@
                 "kind": "event",
                 "type": [
                     "connection"
-                ]
+                ],
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079368960&end=1587078768963&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.127.32.11%2610.36.236.100"
             },
             "flow": {
                 "id": "6mUV1nPVG80",
@@ -3254,7 +3255,8 @@
                 "kind": "event",
                 "type": [
                     "connection"
-                ]
+                ],
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079367995&end=1587078768404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=89.160.20.112%2610.36.236.100"
             },
             "flow": {
                 "id": "HVg4SttTufc",
@@ -3312,7 +3314,7 @@
                 },
                 "bytes": 7158,
                 "geo": {
-                    "city_name": "Linköping",
+                    "city_name": "Link\u00f6ping",
                     "continent_name": "Europe",
                     "country_iso_code": "SE",
                     "country_name": "Sweden",
@@ -3321,7 +3323,7 @@
                         "lon": 15.6167
                     },
                     "region_iso_code": "SE-E",
-                    "region_name": "Östergötland County"
+                    "region_name": "\u00d6sterg\u00f6tland County"
                 },
                 "ip": "89.160.20.112",
                 "locality": "external",
@@ -3339,7 +3341,7 @@
                     }
                 },
                 "geo": {
-                    "city_name": "Linköping",
+                    "city_name": "Link\u00f6ping",
                     "continent_name": "Europe",
                     "country_iso_code": "SE",
                     "country_name": "Sweden",
@@ -3348,7 +3350,7 @@
                         "lon": 15.6167
                     },
                     "region_iso_code": "SE-E",
-                    "region_name": "Östergötland County"
+                    "region_name": "\u00d6sterg\u00f6tland County"
                 },
                 "ip": "89.160.20.112",
                 "locality": "external",
@@ -3365,7 +3367,8 @@
                 "kind": "event",
                 "type": [
                     "connection"
-                ]
+                ],
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079367920&end=1587078768404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.36.236.100%2689.160.20.112"
             },
             "flow": {
                 "id": "HVg4SttTufc",
diff --git a/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
index d55e2268d3c..80cb30b3000 100644
--- a/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
+++ b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
@@ -5,5 +5,7 @@ data_stream:
   vars:
     host: 0.0.0.0
     port: 2055
+    endace_url: 'http://test.elastic.co'
+
 numeric_keyword_fields:
   - network.iana_number
diff --git a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
index c2d192f3c75..cf0bb64390f 100644
--- a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
+++ b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
@@ -31,7 +31,12 @@ tags:
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-{{#if processors}}
 processors:
+- add_fields:
+    target: "_conf"
+    fields:
+      endace_url: {{ endace_url }}
+      test: "test"
+{{#if processors}}
 {{processors}}
 {{/if}}
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 2dd1531816f..f01170ba54e 100644
--- a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -106,6 +106,12 @@ processors:
       field: 
         - _tmp_
       ignore_missing: true
+  - pipeline:
+      name: '{{ IngestPipeline "endace-netflow" }}'
+      tag: pipeline_processor
+      if: ctx.source?.ip != null && ctx.destination?.ip != null && ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0'
+  - remove:
+      field: "_conf"
 on_failure:
   - set:
       field: event.kind
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
new file mode 100644
index 00000000000..2f0b7aa07b2
--- /dev/null
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
@@ -0,0 +1,69 @@
+---
+description: Endace Pivot Field.
+processors:
+  - set:
+      description: "Set IP Conversation if both destination.ip and source.ip are present"
+      field: _conf.ip_conv
+      value: "ip_conv={{ source.ip }}%26{{ destination.ip }}"
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+      tag: endace conversation set
+
+  - set: 
+      description: "Set IP Conversation if either destination.ip and source.ip are present"
+      field: _conf.ipconv
+      value: "ip={{ source.ip }}{{ destination.ip }}"
+      if: ctx._conf.ipconv != null && ctx.destination?.ip != null && ctx.destination?.ip != '' || ctx.source?.ip != null && ctx.source?.ip != ''
+      tag: endace ip set
+
+
+  - date:
+      description: "Convert Start time to Epoch"
+      field: netflow.flow_start_milliseconds
+      formats: ["ISO8601"]
+      target_field: _conf.event.start
+      output_format: epoch_millis
+      if: ctx.netflow?.flow_start_milliseconds != null && ctx.netflow?.flow_start_milliseconds != ''
+
+
+  - convert:
+        field: _conf.event.start
+        type: long
+        description: "Convert Start time to Long"
+        if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
+
+
+  - date:
+      description: "Convert End time to Epoch"
+      field: netflow.flow_end_milliseconds
+      formats: ["ISO8601"]
+      target_field: _conf.event.end
+      output_format: epoch_millis
+      if: ctx.netflow?.flow_end_milliseconds != null && ctx.netflow?.flow_end_milliseconds != ''
+
+
+  - convert:
+        field: _conf.event.end
+        type: long
+        description: "Convert End time to Long"
+        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
+
+  - script:
+        source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
+        tag: "Calculate Timedelta"
+        description: "Calculate Timedelta"
+        if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
+
+
+  - script:
+        source: "ctx._conf.event.end = ctx._conf.event.end - ctx._conf.timedelta"
+        tag: "Calculate Endtime + additional lookback"
+        description: "Calculate Endtime + additional lookback"
+        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+
+
+  - set:
+      field: event.reference
+      value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
+      ignore_empty_value: true
+      tag: endace reference url
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''

From d72723da777875b4411811069f22f62e30ad9c5b Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Fri, 21 Jun 2024 21:20:10 +0100
Subject: [PATCH 03/23] Added tests

---
 .../endace/data_stream/flow/_dev/add_field.py |   70 +
 .../_dev/test/pipeline/test-flow-events.json  | 3082 +++++++++++++++++
 .../test-flow-events.json-expected.json       | 2982 ++++++++++++++++
 .../elasticsearch/ingest_pipeline/default.yml |    1 +
 .../elasticsearch/ingest_pipeline/endace.yml  |   36 +-
 5 files changed, 6161 insertions(+), 10 deletions(-)
 create mode 100644 packages/endace/data_stream/flow/_dev/add_field.py
 create mode 100644 packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
 create mode 100644 packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json

diff --git a/packages/endace/data_stream/flow/_dev/add_field.py b/packages/endace/data_stream/flow/_dev/add_field.py
new file mode 100644
index 00000000000..d26b956cb73
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/add_field.py
@@ -0,0 +1,70 @@
+import json, os, collections
+from datetime import datetime
+import time
+
+events_path = os.getcwd() + "/data_stream/flow/_dev/test/pipeline/test-flow-events.json"
+expected_events_path = os.getcwd() + "/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json"
+
+with open(events_path, 'r') as f:
+    events = json.load(f, object_pairs_hook=collections.OrderedDict)
+
+with open(expected_events_path, 'r') as ef:
+    expected_events = json.load(ef, object_pairs_hook=collections.OrderedDict)
+
+
+def remove_metadata():
+    new_events = {"events":[]}
+    for event in events['events']:
+        if '_source' in event:
+            new_events['events'].append(event['_source'])
+            
+    return new_events
+
+def process_events():
+    for event in events['events']:
+        if '_conf' not in event:
+            event['_conf'] = {}
+        event['_conf']['endace_url'] = 'https://test.test.local'
+        event['_conf']['endace_datasources'] = 'tag:rotation-file'
+        event['_conf']['endace_tools'] = 'trafficOverTime_by_app,conversations_by_ipaddress'
+        event['_conf']['endace_lookback'] = 10
+
+
+        # Convert event.start to epoch
+        if 'event' in event and 'start' in event['event']:
+            start_str = event['event']['start']
+            # Assuming the date format is ISO 8601, e.g., "2023-01-01T00:00:00Z"
+            start_dt = datetime.strptime(start_str, "%Y-%m-%dT%H:%M:%SZ")
+            event['_conf']['event']['start'] = int(time.mktime(start_dt.timetuple()))
+
+        # Convert event.end to epoch
+        if 'event' in event and 'end' in event['event']:
+            end_str = event['event']['end']
+            # Assuming the date format is ISO 8601, e.g., "2023-01-01T00:00:00Z"
+            end_dt = datetime.strptime(end_str, "%Y-%m-%dT%H:%M:%SZ")
+            event['_conf']['event']['end'] = int(time.mktime(end_dt.timetuple()))
+
+
+def process_expected_events():
+    for event in expected_events['expected']:
+        if '_conf' in event:
+            del event['_conf']
+        event['ecs']['version'] = "8.11.0"
+    # expected_events['expected'] = expected_events.pop('events')
+
+
+
+process_events()
+
+process_expected_events()
+
+# events = remove_metadata()
+# Write Events            
+with open(events_path, 'w') as f:
+    json.dump(events, f, indent=4)
+
+
+# Write Expected Events            
+with open(expected_events_path, 'w') as ef:
+    json.dump(expected_events, ef, indent=4)
+
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
new file mode 100644
index 00000000000..a4b57b512f5
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
@@ -0,0 +1,3082 @@
+{
+    "events": [
+        {
+            "server": {
+                "port": 80,
+                "bytes": 374,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /.env",
+            "destination": {
+                "port": 80,
+                "bytes": 374,
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 46324,
+                "bytes": 230,
+                "ip": "57.129.23.166"
+            },
+            "type": "http",
+            "url": {
+                "path": "/.env",
+                "extension": "env",
+                "scheme": "http",
+                "domain": "34.147.158.4",
+                "full": "http://34.147.158.4/.env"
+            },
+            "network": {
+                "community_id": "1:SUrUlAjDJgBojipINaXvE82MrcU=",
+                "protocol": "http",
+                "bytes": 604,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:18.358Z",
+            "related": {
+                "ip": [
+                    "57.129.23.166",
+                    "10.100.0.29",
+                    "34.147.158.4"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "containerized": false,
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 46324,
+                "bytes": 230,
+                "ip": "57.129.23.166"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 230
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 177,
+                        "content-type": "text/html"
+                    },
+                    "status_phrase": "not found",
+                    "status_code": 404,
+                    "mime_type": "text/html",
+                    "bytes": 374,
+                    "body": {
+                        "bytes": 177
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 506000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:19Z",
+                "kind": "event",
+                "start": "2024-06-21T11:18:18.358Z",
+                "end": "2024-06-21T11:18:18.359Z",
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 716,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "POST",
+            "query": "POST /",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 716,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 46390,
+                "bytes": 316,
+                "ip": "57.129.23.166"
+            },
+            "type": "http",
+            "url": {
+                "path": "/",
+                "scheme": "http",
+                "query": "0x%5B%5D=androxgh0st",
+                "domain": "34.147.158.4",
+                "full": "http://34.147.158.4/?0x%5B%5D=androxgh0st"
+            },
+            "network": {
+                "community_id": "1:2X7Vc6YqRE4tl8APECPM4vuvaMA=",
+                "protocol": "http",
+                "bytes": 1032,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:18.416Z",
+            "related": {
+                "ip": [
+                    "57.129.23.166",
+                    "10.100.0.29",
+                    "34.147.158.4"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 20,
+                        "content-type": "application/x-www-form-urlencoded"
+                    },
+                    "method": "POST",
+                    "bytes": 316,
+                    "body": {
+                        "bytes": 20
+                    }
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 559,
+                        "content-type": "text/html"
+                    },
+                    "status_code": 405,
+                    "status_phrase": "not allowed",
+                    "mime_type": "text/html",
+                    "bytes": 716,
+                    "body": {
+                        "bytes": 559
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 46390,
+                "bytes": 316,
+                "ip": "57.129.23.166"
+            },
+            "event": {
+                "duration": 238000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:19Z",
+                "kind": "event",
+                "start": "2024-06-21T11:18:18.416Z",
+                "end": "2024-06-21T11:18:18.417Z",
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "type": "http",
+            "error": {
+                "message": "Unmatched response"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:18.465Z",
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:19Z",
+                "kind": "event",
+                "end": "2024-06-21T11:18:18.465Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "protocol": "http",
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:15.709Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:17Z",
+                "kind": "event",
+                "end": "2024-06-21T11:18:15.709Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1//",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "error": {
+                "message": "Unmatched request"
+            },
+            "type": "http",
+            "url": {
+                "path": "/computeMetadata/v1//",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 228,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:18.451Z",
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 228
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:32Z",
+                "kind": "event",
+                "start": "2024-06-21T11:17:18.451Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1/",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "error": {
+                "message": "Unmatched request"
+            },
+            "type": "http",
+            "url": {
+                "path": "/computeMetadata/v1/",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "bytes": 227,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:15.695Z",
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 227
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:32Z",
+                "kind": "event",
+                "start": "2024-06-21T11:17:15.695Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "protocol": "http",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:18.450Z",
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:19Z",
+                "kind": "event",
+                "end": "2024-06-21T11:17:18.450Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "protocol": "http",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:15.695Z",
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:16Z",
+                "kind": "event",
+                "end": "2024-06-21T11:17:15.695Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1//",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "error": {
+                "message": "Unmatched request"
+            },
+            "type": "http",
+            "url": {
+                "path": "/computeMetadata/v1//",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 228,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:18.436Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 228
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:33Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:18.436Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1/",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "type": "http",
+            "error": {
+                "message": "Unmatched request"
+            },
+            "url": {
+                "path": "/computeMetadata/v1/",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "bytes": 227,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:15.680Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 227
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:33Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:15.680Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "destination": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:18.434Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "containerized": false,
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:19Z",
+                "kind": "event",
+                "end": "2024-06-21T11:16:18.434Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "destination": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "protocol": "http",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:15.679Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:16Z",
+                "kind": "event",
+                "end": "2024-06-21T11:16:15.679Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "status": "Error",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 38106,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/bg.jpg",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 38106,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 1541,
+                "bytes": 385,
+                "ip": "35.244.92.47"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/bg.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/bg.jpg"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:Awz6GFqwC6DyvBuaB+al4It7yAY=",
+                "bytes": 38491,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:12.734Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/assets/css/main.css"
+                ],
+                "ip": [
+                    "35.244.92.47",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 1541,
+                "bytes": 385,
+                "ip": "35.244.92.47"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/assets/css/main.css",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 385
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 37864,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "image/jpeg",
+                    "bytes": 38106,
+                    "body": {
+                        "bytes": 37864
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 113000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:14Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:12.734Z",
+                "end": "2024-06-21T11:16:12.734Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 72153,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /assets/fonts/fontawesome-webfont.woff2",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 72153,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "source": {
+                "port": 1539,
+                "bytes": 402,
+                "ip": "35.244.92.47"
+            },
+            "type": "http",
+            "url": {
+                "path": "/assets/fonts/fontawesome-webfont.woff2",
+                "extension": "woff2",
+                "scheme": "http",
+                "query": "v=4.6.3",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/assets/fonts/fontawesome-webfont.woff2?v=4.6.3"
+            },
+            "network": {
+                "community_id": "1:gPM3VQvPa/AoaH6Pynie+9K8/a4=",
+                "protocol": "http",
+                "bytes": 72555,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:12.783Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/assets/css/font-awesome.min.css"
+                ],
+                "ip": [
+                    "35.244.92.47",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 1539,
+                "bytes": 402,
+                "ip": "35.244.92.47"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "referrer": "http://www.test.co/assets/css/font-awesome.min.css",
+                    "method": "GET",
+                    "bytes": 402
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 71896,
+                        "content-type": "application/octet-stream"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/octet-stream",
+                    "bytes": 72153,
+                    "body": {
+                        "bytes": 71896
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 61000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:14Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:12.783Z",
+                "end": "2024-06-21T11:16:12.783Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 4137,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 4137,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "source": {
+                "port": 19456,
+                "bytes": 419,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/"
+            },
+            "network": {
+                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
+                "protocol": "http",
+                "bytes": 4556,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.631Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 19456,
+                "bytes": 419,
+                "ip": "34.86.203.82"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 419
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 3875,
+                        "content-type": "text/html"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "text/html",
+                    "bytes": 4137,
+                    "body": {
+                        "bytes": 3875
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 477000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.631Z",
+                "end": "2024-06-21T11:16:10.632Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 10306,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/pic01.jpg",
+            "destination": {
+                "port": 80,
+                "bytes": 10306,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19458,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/pic01.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/pic01.jpg"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:19gScwFqXOlar3be22Vn5xuAauQ=",
+                "bytes": 10675,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.792Z",
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 369
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 10064,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "image/jpeg",
+                    "bytes": 10306,
+                    "body": {
+                        "bytes": 10064
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19458,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 251000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.792Z",
+                "end": "2024-06-21T11:16:10.792Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 32868,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /assets/css/main.css",
+            "destination": {
+                "port": 80,
+                "bytes": 32868,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19456,
+                "bytes": 326,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/assets/css/main.css",
+                "extension": "css",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/assets/css/main.css"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
+                "bytes": 33194,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.716Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 326
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 32628,
+                        "content-type": "text/css"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "text/css",
+                    "bytes": 32868,
+                    "body": {
+                        "bytes": 32628
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19456,
+                "bytes": 326,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 84000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.716Z",
+                "end": "2024-06-21T11:16:10.716Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 9145,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/pic02.jpg",
+            "destination": {
+                "port": 80,
+                "bytes": 9145,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19457,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/pic02.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/pic02.jpg"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:ioQAxWbr9FPVUa+VsG4oHAJkdqg=",
+                "bytes": 9514,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.795Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 19457,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 369
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 8904,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "image/jpeg",
+                    "bytes": 9145,
+                    "body": {
+                        "bytes": 8904
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 41000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.795Z",
+                "end": "2024-06-21T11:16:10.795Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 9938,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/pic03.jpg",
+            "destination": {
+                "port": 80,
+                "bytes": 9938,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19461,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/pic03.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/pic03.jpg"
+            },
+            "network": {
+                "community_id": "1:ggT7zC+LwNLXYYw3utRBpsMN+9w=",
+                "protocol": "http",
+                "bytes": 10307,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.796Z",
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 369
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 9697,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "image/jpeg",
+                    "bytes": 9938,
+                    "body": {
+                        "bytes": 9697
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19461,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 202000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.796Z",
+                "end": "2024-06-21T11:16:10.796Z",
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 9338,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /assets/js/skel.min.js",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 9338,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "source": {
+                "port": 19460,
+                "bytes": 313,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/assets/js/skel.min.js",
+                "extension": "js",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/assets/js/skel.min.js"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:I2z0vpcqgfS252mqkW5mlrncpqY=",
+                "bytes": 9651,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.797Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 313
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 9085,
+                        "content-type": "application/javascript"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/javascript",
+                    "bytes": 9338,
+                    "body": {
+                        "bytes": 9085
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19460,
+                "bytes": 313,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 233000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.797Z",
+                "end": "2024-06-21T11:16:10.797Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http"
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK",
+            "_conf": {
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
new file mode 100644
index 00000000000..41ecb814ea2
--- /dev/null
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
@@ -0,0 +1,2982 @@
+{
+    "expected": [
+        {
+            "server": {
+                "port": 80,
+                "bytes": 374,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /.env",
+            "destination": {
+                "port": 80,
+                "bytes": 374,
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 46324,
+                "bytes": 230,
+                "ip": "57.129.23.166"
+            },
+            "type": "http",
+            "url": {
+                "path": "/.env",
+                "extension": "env",
+                "scheme": "http",
+                "domain": "34.147.158.4",
+                "full": "http://34.147.158.4/.env"
+            },
+            "network": {
+                "community_id": "1:SUrUlAjDJgBojipINaXvE82MrcU=",
+                "protocol": "http",
+                "bytes": 604,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:18.358Z",
+            "related": {
+                "ip": [
+                    "57.129.23.166",
+                    "10.100.0.29",
+                    "34.147.158.4"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "containerized": false,
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 46324,
+                "bytes": 230,
+                "ip": "57.129.23.166"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 230
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 177,
+                        "content-type": "text/html"
+                    },
+                    "status_phrase": "not found",
+                    "status_code": 404,
+                    "mime_type": "text/html",
+                    "bytes": 374,
+                    "body": {
+                        "bytes": 177
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 506000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:19Z",
+                "kind": "event",
+                "start": "2024-06-21T11:18:18.358Z",
+                "end": "2024-06-21T11:18:18.359Z",
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 716,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "POST",
+            "query": "POST /",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 716,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 46390,
+                "bytes": 316,
+                "ip": "57.129.23.166"
+            },
+            "type": "http",
+            "url": {
+                "path": "/",
+                "scheme": "http",
+                "query": "0x%5B%5D=androxgh0st",
+                "domain": "34.147.158.4",
+                "full": "http://34.147.158.4/?0x%5B%5D=androxgh0st"
+            },
+            "network": {
+                "community_id": "1:2X7Vc6YqRE4tl8APECPM4vuvaMA=",
+                "protocol": "http",
+                "bytes": 1032,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:18.416Z",
+            "related": {
+                "ip": [
+                    "57.129.23.166",
+                    "10.100.0.29",
+                    "34.147.158.4"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 20,
+                        "content-type": "application/x-www-form-urlencoded"
+                    },
+                    "method": "POST",
+                    "bytes": 316,
+                    "body": {
+                        "bytes": 20
+                    }
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 559,
+                        "content-type": "text/html"
+                    },
+                    "status_code": 405,
+                    "status_phrase": "not allowed",
+                    "mime_type": "text/html",
+                    "bytes": 716,
+                    "body": {
+                        "bytes": 559
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 46390,
+                "bytes": 316,
+                "ip": "57.129.23.166"
+            },
+            "event": {
+                "duration": 238000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:19Z",
+                "kind": "event",
+                "start": "2024-06-21T11:18:18.416Z",
+                "end": "2024-06-21T11:18:18.417Z",
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "type": "http",
+            "error": {
+                "message": "Unmatched response"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:18.465Z",
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:19Z",
+                "kind": "event",
+                "end": "2024-06-21T11:18:18.465Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "protocol": "http",
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:18:15.709Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:18:17Z",
+                "kind": "event",
+                "end": "2024-06-21T11:18:15.709Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1//",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "error": {
+                "message": "Unmatched request"
+            },
+            "type": "http",
+            "url": {
+                "path": "/computeMetadata/v1//",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 228,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:18.451Z",
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 228
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:32Z",
+                "kind": "event",
+                "start": "2024-06-21T11:17:18.451Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1/",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "error": {
+                "message": "Unmatched request"
+            },
+            "type": "http",
+            "url": {
+                "path": "/computeMetadata/v1/",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "bytes": 227,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:15.695Z",
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 227
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:32Z",
+                "kind": "event",
+                "start": "2024-06-21T11:17:15.695Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "protocol": "http",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:18.450Z",
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:19Z",
+                "kind": "event",
+                "end": "2024-06-21T11:17:18.450Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "protocol": "http",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:17:15.695Z",
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:17:16Z",
+                "kind": "event",
+                "end": "2024-06-21T11:17:15.695Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1//",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "error": {
+                "message": "Unmatched request"
+            },
+            "type": "http",
+            "url": {
+                "path": "/computeMetadata/v1//",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 228,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:18.436Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 35176,
+                "bytes": 228,
+                "ip": "10.100.0.29"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 228
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:33Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:18.436Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /computeMetadata/v1/",
+            "destination": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "type": "http",
+            "error": {
+                "message": "Unmatched request"
+            },
+            "url": {
+                "path": "/computeMetadata/v1/",
+                "scheme": "http",
+                "domain": "169.254.169.254",
+                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
+                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "bytes": 227,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:15.680Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "10.100.0.29",
+                    "169.254.169.254"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 227
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 35164,
+                "bytes": 227,
+                "ip": "10.100.0.29"
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:33Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:15.680Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Go-http-client/1.1"
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "destination": {
+                "port": 35176,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "protocol": "http",
+                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:18.434Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "containerized": false,
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:19Z",
+                "kind": "event",
+                "end": "2024-06-21T11:16:18.434Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "destination": {
+                "port": 35164,
+                "bytes": 25084,
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "error": {
+                "message": "Unmatched response"
+            },
+            "type": "http",
+            "network": {
+                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
+                "protocol": "http",
+                "bytes": 25084,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:15.679Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "ip": [
+                    "169.254.169.254",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 80,
+                "ip": "169.254.169.254"
+            },
+            "http": {
+                "response": {
+                    "headers": {
+                        "content-length": 24794,
+                        "content-type": "application/json"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/json",
+                    "bytes": 25084,
+                    "body": {
+                        "bytes": 24794
+                    }
+                }
+            },
+            "event": {
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:16Z",
+                "kind": "event",
+                "end": "2024-06-21T11:16:15.679Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "status": "Error"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 38106,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/bg.jpg",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 38106,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "source": {
+                "port": 1541,
+                "bytes": 385,
+                "ip": "35.244.92.47"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/bg.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/bg.jpg"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:Awz6GFqwC6DyvBuaB+al4It7yAY=",
+                "bytes": 38491,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:12.734Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/assets/css/main.css"
+                ],
+                "ip": [
+                    "35.244.92.47",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 1541,
+                "bytes": 385,
+                "ip": "35.244.92.47"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/assets/css/main.css",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 385
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 37864,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "image/jpeg",
+                    "bytes": 38106,
+                    "body": {
+                        "bytes": 37864
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 113000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:14Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:12.734Z",
+                "end": "2024-06-21T11:16:12.734Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 72153,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /assets/fonts/fontawesome-webfont.woff2",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 72153,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "source": {
+                "port": 1539,
+                "bytes": 402,
+                "ip": "35.244.92.47"
+            },
+            "type": "http",
+            "url": {
+                "path": "/assets/fonts/fontawesome-webfont.woff2",
+                "extension": "woff2",
+                "scheme": "http",
+                "query": "v=4.6.3",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/assets/fonts/fontawesome-webfont.woff2?v=4.6.3"
+            },
+            "network": {
+                "community_id": "1:gPM3VQvPa/AoaH6Pynie+9K8/a4=",
+                "protocol": "http",
+                "bytes": 72555,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:12.783Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/assets/css/font-awesome.min.css"
+                ],
+                "ip": [
+                    "35.244.92.47",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 1539,
+                "bytes": 402,
+                "ip": "35.244.92.47"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "referrer": "http://www.test.co/assets/css/font-awesome.min.css",
+                    "method": "GET",
+                    "bytes": 402
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 71896,
+                        "content-type": "application/octet-stream"
+                    },
+                    "status_code": 200,
+                    "status_phrase": "ok",
+                    "mime_type": "application/octet-stream",
+                    "bytes": 72153,
+                    "body": {
+                        "bytes": 71896
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 61000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:14Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:12.783Z",
+                "end": "2024-06-21T11:16:12.783Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 4137,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 4137,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "source": {
+                "port": 19456,
+                "bytes": 419,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/"
+            },
+            "network": {
+                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
+                "protocol": "http",
+                "bytes": 4556,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.631Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 19456,
+                "bytes": 419,
+                "ip": "34.86.203.82"
+            },
+            "http": {
+                "request": {
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 419
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 3875,
+                        "content-type": "text/html"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "text/html",
+                    "bytes": 4137,
+                    "body": {
+                        "bytes": 3875
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 477000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.631Z",
+                "end": "2024-06-21T11:16:10.632Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 10306,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/pic01.jpg",
+            "destination": {
+                "port": 80,
+                "bytes": 10306,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19458,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/pic01.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/pic01.jpg"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:19gScwFqXOlar3be22Vn5xuAauQ=",
+                "bytes": 10675,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.792Z",
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 369
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 10064,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "image/jpeg",
+                    "bytes": 10306,
+                    "body": {
+                        "bytes": 10064
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19458,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 251000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.792Z",
+                "end": "2024-06-21T11:16:10.792Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 32868,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /assets/css/main.css",
+            "destination": {
+                "port": 80,
+                "bytes": 32868,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19456,
+                "bytes": 326,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/assets/css/main.css",
+                "extension": "css",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/assets/css/main.css"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
+                "bytes": 33194,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.716Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 326
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 32628,
+                        "content-type": "text/css"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "text/css",
+                    "bytes": 32868,
+                    "body": {
+                        "bytes": 32628
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19456,
+                "bytes": 326,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 84000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.716Z",
+                "end": "2024-06-21T11:16:10.716Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 9145,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/pic02.jpg",
+            "destination": {
+                "port": 80,
+                "bytes": 9145,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19457,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/pic02.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/pic02.jpg"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:ioQAxWbr9FPVUa+VsG4oHAJkdqg=",
+                "bytes": 9514,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.795Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "client": {
+                "port": 19457,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 369
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 8904,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "image/jpeg",
+                    "bytes": 9145,
+                    "body": {
+                        "bytes": 8904
+                    }
+                },
+                "version": "1.1"
+            },
+            "event": {
+                "duration": 41000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.795Z",
+                "end": "2024-06-21T11:16:10.795Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 9938,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /images/pic03.jpg",
+            "destination": {
+                "port": 80,
+                "bytes": 9938,
+                "domain": "www.test.co",
+                "ip": "10.100.0.29"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 19461,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/images/pic03.jpg",
+                "extension": "jpg",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/images/pic03.jpg"
+            },
+            "network": {
+                "community_id": "1:ggT7zC+LwNLXYYw3utRBpsMN+9w=",
+                "protocol": "http",
+                "bytes": 10307,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.796Z",
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 369
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 9697,
+                        "content-type": "image/jpeg"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "image/jpeg",
+                    "bytes": 9938,
+                    "body": {
+                        "bytes": 9697
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19461,
+                "bytes": 369,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 202000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.796Z",
+                "end": "2024-06-21T11:16:10.796Z",
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        },
+        {
+            "server": {
+                "port": 80,
+                "bytes": 9338,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "method": "GET",
+            "query": "GET /assets/js/skel.min.js",
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 9338,
+                "ip": "10.100.0.29",
+                "domain": "www.test.co"
+            },
+            "source": {
+                "port": 19460,
+                "bytes": 313,
+                "ip": "34.86.203.82"
+            },
+            "type": "http",
+            "url": {
+                "path": "/assets/js/skel.min.js",
+                "extension": "js",
+                "scheme": "http",
+                "domain": "www.test.co",
+                "full": "http://www.test.co/assets/js/skel.min.js"
+            },
+            "network": {
+                "protocol": "http",
+                "community_id": "1:I2z0vpcqgfS252mqkW5mlrncpqY=",
+                "bytes": 9651,
+                "transport": "tcp",
+                "type": "ipv4",
+                "direction": "ingress"
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "jamesgarside-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-06-21T11:16:10.797Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "related": {
+                "hosts": [
+                    "www.test.co",
+                    "http://www.test.co/"
+                ],
+                "ip": [
+                    "34.86.203.82",
+                    "10.100.0.29"
+                ]
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "network_traffic.http"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "http": {
+                "request": {
+                    "referrer": "http://www.test.co/",
+                    "headers": {
+                        "content-length": 0
+                    },
+                    "method": "GET",
+                    "bytes": 313
+                },
+                "response": {
+                    "headers": {
+                        "content-length": 9085,
+                        "content-type": "application/javascript"
+                    },
+                    "status_phrase": "ok",
+                    "status_code": 200,
+                    "mime_type": "application/javascript",
+                    "bytes": 9338,
+                    "body": {
+                        "bytes": 9085
+                    }
+                },
+                "version": "1.1"
+            },
+            "client": {
+                "port": 19460,
+                "bytes": 313,
+                "ip": "34.86.203.82"
+            },
+            "event": {
+                "duration": 233000,
+                "agent_id_status": "verified",
+                "ingested": "2024-06-21T11:16:11Z",
+                "kind": "event",
+                "start": "2024-06-21T11:16:10.797Z",
+                "end": "2024-06-21T11:16:10.797Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection",
+                    "protocol"
+                ],
+                "dataset": "network_traffic.http",
+                "reference": ""
+            },
+            "user_agent": {
+                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            },
+            "status": "OK"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
index 212ffb757ce..164fa67df2e 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
@@ -86,6 +86,7 @@ processors:
 - pipeline:
     name: '{{ IngestPipeline "endace" }}'
     tag: pipeline_processor
+    if: ctx.source?.ip != null && ctx.destination?.ip != null && ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0'
 
 - remove:
     field: _conf
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
index eb6cca3dffb..5b2d4d1a287 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
@@ -25,6 +25,12 @@ processors:
       output_format: epoch_millis
       if: ctx.event?.start != null && ctx.event?.start != ''
 
+  - convert:
+        field: _conf.event.start
+        type: long
+        description: "Convert Start time to Long"
+        if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
+
 
   - date:
       description: "Convert End time to Epoch"
@@ -34,15 +40,27 @@ processors:
       output_format: epoch_millis
       if: ctx.event?.end != null && ctx.event?.end != ''
 
-  - set: 
-      description: "Calculate timedelta"
-      field: _conf.timedelta
-      value: _conf.endace_lookback * 60 * 1000
 
-  - set: 
-      description: "Calculate Endtime + additional lookback"
-      field: _conf.event.end
-      value: _conf.event.end - _conf.timedelta
+  - convert:
+        field: _conf.event.end
+        type: long
+        description: "Convert End time to Long"
+        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
+
+
+  - script:
+        source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
+        tag: "Calculate Timedelta"
+        description: "Calculate Timedelta"
+        if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
+
+
+  - script:
+        source: "ctx._conf.event.end = ctx._conf.event.end - ctx._conf.timedelta"
+        tag: "Calculate Endtime + additional lookback"
+        description: "Calculate Endtime + additional lookback"
+        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+
 
   - set:
       field: event.reference
@@ -50,5 +68,3 @@ processors:
       ignore_empty_value: true
       tag: endace reference url
       if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
-  - remove:
-      field: "_conf"
\ No newline at end of file

From 14ece87aee2d12854e1a6fa23b2dac220b49e2e8 Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Mon, 1 Jul 2024 12:08:26 +0100
Subject: [PATCH 04/23] Fixed tests for flow

---
 .../endace/data_stream/flow/_dev/add_field.py |    5 +-
 .../_dev/test/pipeline/test-flow-events.json  | 2654 +++--------------
 .../test-flow-events.json-expected.json       | 2598 +++-------------
 3 files changed, 834 insertions(+), 4423 deletions(-)

diff --git a/packages/endace/data_stream/flow/_dev/add_field.py b/packages/endace/data_stream/flow/_dev/add_field.py
index d26b956cb73..d6564a5cd47 100644
--- a/packages/endace/data_stream/flow/_dev/add_field.py
+++ b/packages/endace/data_stream/flow/_dev/add_field.py
@@ -24,6 +24,7 @@ def process_events():
     for event in events['events']:
         if '_conf' not in event:
             event['_conf'] = {}
+            event['_conf']['event'] = {}
         event['_conf']['endace_url'] = 'https://test.test.local'
         event['_conf']['endace_datasources'] = 'tag:rotation-file'
         event['_conf']['endace_tools'] = 'trafficOverTime_by_app,conversations_by_ipaddress'
@@ -34,14 +35,14 @@ def process_events():
         if 'event' in event and 'start' in event['event']:
             start_str = event['event']['start']
             # Assuming the date format is ISO 8601, e.g., "2023-01-01T00:00:00Z"
-            start_dt = datetime.strptime(start_str, "%Y-%m-%dT%H:%M:%SZ")
+            start_dt = datetime.strptime(start_str, "%Y-%m-%dT%H:%M:%S.%fZ")
             event['_conf']['event']['start'] = int(time.mktime(start_dt.timetuple()))
 
         # Convert event.end to epoch
         if 'event' in event and 'end' in event['event']:
             end_str = event['event']['end']
             # Assuming the date format is ISO 8601, e.g., "2023-01-01T00:00:00Z"
-            end_dt = datetime.strptime(end_str, "%Y-%m-%dT%H:%M:%SZ")
+            end_dt = datetime.strptime(end_str, "%Y-%m-%dT%H:%M:%S.%fZ")
             event['_conf']['event']['end'] = int(time.mktime(end_dt.timetuple()))
 
 
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
index a4b57b512f5..6ff73b1c9f2 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
@@ -1,1488 +1,18 @@
 {
     "events": [
         {
-            "server": {
-                "port": 80,
-                "bytes": 374,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /.env",
-            "destination": {
-                "port": 80,
-                "bytes": 374,
-                "ip": "10.100.0.29"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 46324,
-                "bytes": 230,
-                "ip": "57.129.23.166"
-            },
-            "type": "http",
-            "url": {
-                "path": "/.env",
-                "extension": "env",
-                "scheme": "http",
-                "domain": "34.147.158.4",
-                "full": "http://34.147.158.4/.env"
-            },
-            "network": {
-                "community_id": "1:SUrUlAjDJgBojipINaXvE82MrcU=",
-                "protocol": "http",
-                "bytes": 604,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:18:18.358Z",
-            "related": {
-                "ip": [
-                    "57.129.23.166",
-                    "10.100.0.29",
-                    "34.147.158.4"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "containerized": false,
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 46324,
-                "bytes": 230,
-                "ip": "57.129.23.166"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 230
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 177,
-                        "content-type": "text/html"
-                    },
-                    "status_phrase": "not found",
-                    "status_code": 404,
-                    "mime_type": "text/html",
-                    "bytes": 374,
-                    "body": {
-                        "bytes": 177
-                    }
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "duration": 506000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:19Z",
-                "kind": "event",
-                "start": "2024-06-21T11:18:18.358Z",
-                "end": "2024-06-21T11:18:18.359Z",
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "category": [
-                    "network"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 716,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "method": "POST",
-            "query": "POST /",
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 80,
-                "bytes": 716,
-                "ip": "10.100.0.29"
-            },
-            "source": {
-                "port": 46390,
-                "bytes": 316,
-                "ip": "57.129.23.166"
-            },
-            "type": "http",
-            "url": {
-                "path": "/",
-                "scheme": "http",
-                "query": "0x%5B%5D=androxgh0st",
-                "domain": "34.147.158.4",
-                "full": "http://34.147.158.4/?0x%5B%5D=androxgh0st"
-            },
-            "network": {
-                "community_id": "1:2X7Vc6YqRE4tl8APECPM4vuvaMA=",
-                "protocol": "http",
-                "bytes": 1032,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:18:18.416Z",
-            "related": {
-                "ip": [
-                    "57.129.23.166",
-                    "10.100.0.29",
-                    "34.147.158.4"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 20,
-                        "content-type": "application/x-www-form-urlencoded"
-                    },
-                    "method": "POST",
-                    "bytes": 316,
-                    "body": {
-                        "bytes": 20
-                    }
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 559,
-                        "content-type": "text/html"
-                    },
-                    "status_code": 405,
-                    "status_phrase": "not allowed",
-                    "mime_type": "text/html",
-                    "bytes": 716,
-                    "body": {
-                        "bytes": 559
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 46390,
-                "bytes": 316,
-                "ip": "57.129.23.166"
-            },
-            "event": {
-                "duration": 238000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:19Z",
-                "kind": "event",
-                "start": "2024-06-21T11:18:18.416Z",
-                "end": "2024-06-21T11:18:18.417Z",
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "category": [
-                    "network"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "type": "http",
-            "error": {
-                "message": "Unmatched response"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 25084,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:18:18.465Z",
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:19Z",
-                "kind": "event",
-                "end": "2024-06-21T11:18:18.465Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
-            },
-            "type": "http",
-            "network": {
-                "protocol": "http",
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "bytes": 25084,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:18:15.709Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:17Z",
-                "kind": "event",
-                "end": "2024-06-21T11:18:15.709Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1//",
-            "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "error": {
-                "message": "Unmatched request"
-            },
-            "type": "http",
-            "url": {
-                "path": "/computeMetadata/v1//",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 228,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:17:18.451Z",
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 228
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:32Z",
-                "kind": "event",
-                "start": "2024-06-21T11:17:18.451Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1/",
-            "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
-            "error": {
-                "message": "Unmatched request"
-            },
-            "type": "http",
-            "url": {
-                "path": "/computeMetadata/v1/",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "bytes": 227,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "service": {
-                    "name": "GCE"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:17:15.695Z",
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 227
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:32Z",
-                "kind": "event",
-                "start": "2024-06-21T11:17:15.695Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
-            },
-            "type": "http",
-            "network": {
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "protocol": "http",
-                "bytes": 25084,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:17:18.450Z",
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:19Z",
-                "kind": "event",
-                "end": "2024-06-21T11:17:18.450Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
-            },
-            "type": "http",
-            "network": {
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "protocol": "http",
-                "bytes": 25084,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "service": {
-                    "name": "GCE"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:17:15.695Z",
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:16Z",
-                "kind": "event",
-                "end": "2024-06-21T11:17:15.695Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1//",
-            "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "error": {
-                "message": "Unmatched request"
-            },
-            "type": "http",
-            "url": {
-                "path": "/computeMetadata/v1//",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 228,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:18.436Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 228
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:33Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:18.436Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1/",
-            "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
-            "type": "http",
-            "error": {
-                "message": "Unmatched request"
-            },
-            "url": {
-                "path": "/computeMetadata/v1/",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "bytes": 227,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "service": {
-                    "name": "GCE"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:15.680Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 227
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:33Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:15.680Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http"
-            },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error",
-            "_conf": {
-                "endace_url": "https://test.test.local",
-                "endace_datasources": "tag:rotation-file",
-                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
-                "endace_lookback": 10
-            }
-        },
-        {
-            "server": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
                 "version": "8.9.1"
             },
             "destination": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
+                "port": 48866,
+                "bytes": 1317,
+                "ip": "127.0.0.1",
+                "packets": 12
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -1490,20 +20,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
+                "port": 6789,
+                "bytes": 1108,
+                "ip": "127.0.0.1",
+                "packets": 14
             },
-            "error": {
-                "message": "Unmatched response"
-            },
-            "type": "http",
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 25084,
+                "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=",
+                "bytes": 2425,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 26
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1512,12 +40,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
                 "service": {
                     "name": "GCE"
                 },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -1526,20 +54,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:18.434Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -1552,11 +74,11 @@
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
+                "containerized": false,
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
-                "containerized": false,
                 "name": "webserver",
                 "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
@@ -1564,41 +86,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
             "event": {
+                "duration": 64831956254,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:19Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "end": "2024-06-21T11:16:18.434Z",
+                "start": "2024-07-01T10:48:39.852Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:44.684Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4"
             },
-            "status": "Error",
             "_conf": {
+                "event": {
+                    "start": 1719827319,
+                    "end": 1719827384
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -1606,43 +118,55 @@
             }
         },
         {
-            "server": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "destination": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 680,
+                "ip": "81.2.69.144",
+                "packets": 10
             },
-            "error": {
-                "message": "Unmatched response"
+            "source": {
+                "port": 56370,
+                "bytes": 5211,
+                "ip": "10.100.0.29",
+                "packets": 10
             },
-            "type": "http",
+            "type": "flow",
             "network": {
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "protocol": "http",
-                "bytes": 25084,
+                "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
+                "bytes": 5891,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 20
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1651,12 +175,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
                 "machine": {
                     "type": "t2d-standard-1"
                 },
+                "service": {
+                    "name": "GCE"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -1665,20 +189,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:15.679Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -1686,8 +204,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -1703,41 +221,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
             "event": {
+                "duration": 60223908451,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:16Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "end": "2024-06-21T11:16:15.679Z",
+                "start": "2024-07-01T10:48:39.852Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:40.076Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
             },
-            "status": "Error",
             "_conf": {
+                "event": {
+                    "start": 1719827319,
+                    "end": 1719827380
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -1745,52 +253,55 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 38106,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /images/bg.jpg",
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
             "destination": {
-                "port": 80,
-                "bytes": 38106,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 9672,
+                "ip": "81.2.69.144",
+                "packets": 45
             },
             "source": {
-                "port": 1541,
-                "bytes": 385,
-                "ip": "35.244.92.47"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/bg.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/bg.jpg"
+                "port": 60098,
+                "bytes": 547639,
+                "ip": "10.100.0.29",
+                "packets": 66
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:Awz6GFqwC6DyvBuaB+al4It7yAY=",
-                "bytes": 38491,
+                "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=",
+                "bytes": 557311,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 111
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1813,24 +324,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:12.734Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/assets/css/main.css"
-                ],
-                "ip": [
-                    "35.244.92.47",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -1855,56 +356,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 1541,
-                "bytes": 385,
-                "ip": "35.244.92.47"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/assets/css/main.css",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 385
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 37864,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "image/jpeg",
-                    "bytes": 38106,
-                    "body": {
-                        "bytes": 37864
-                    }
-                },
-                "version": "1.1"
-            },
             "event": {
-                "duration": 113000,
+                "duration": 60736169344,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:14Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:12.734Z",
-                "end": "2024-06-21T11:16:12.734Z",
+                "start": "2024-07-01T10:48:40.363Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827320,
+                    "end": 1719827381
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -1912,12 +388,6 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 72153,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -1925,40 +395,48 @@
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /assets/fonts/fontawesome-webfont.woff2",
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
             "destination": {
-                "port": 80,
-                "bytes": 72153,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 1954,
+                "ip": "81.2.69.144",
+                "packets": 6
             },
             "source": {
-                "port": 1539,
-                "bytes": 402,
-                "ip": "35.244.92.47"
-            },
-            "type": "http",
-            "url": {
-                "path": "/assets/fonts/fontawesome-webfont.woff2",
-                "extension": "woff2",
-                "scheme": "http",
-                "query": "v=4.6.3",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/assets/fonts/fontawesome-webfont.woff2?v=4.6.3"
+                "port": 55960,
+                "bytes": 7775,
+                "ip": "10.100.0.29",
+                "packets": 7
             },
+            "type": "flow",
             "network": {
-                "community_id": "1:gPM3VQvPa/AoaH6Pynie+9K8/a4=",
-                "protocol": "http",
-                "bytes": 72555,
+                "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=",
+                "bytes": 9729,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 13
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1967,12 +445,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
                 "machine": {
                     "type": "t2d-standard-1"
                 },
+                "service": {
+                    "name": "GCE"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -1981,24 +459,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:12.783Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/assets/css/font-awesome.min.css"
-                ],
-                "ip": [
-                    "35.244.92.47",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -2006,8 +474,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -2023,56 +491,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 1539,
-                "bytes": 402,
-                "ip": "35.244.92.47"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "referrer": "http://www.test.co/assets/css/font-awesome.min.css",
-                    "method": "GET",
-                    "bytes": 402
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 71896,
-                        "content-type": "application/octet-stream"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/octet-stream",
-                    "bytes": 72153,
-                    "body": {
-                        "bytes": 71896
-                    }
-                },
-                "version": "1.1"
-            },
             "event": {
-                "duration": 61000,
+                "duration": 60735918914,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:14Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:12.783Z",
-                "end": "2024-06-21T11:16:12.783Z",
+                "start": "2024-07-01T10:48:40.364Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827320,
+                    "end": 1719827381
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -2080,51 +523,37 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 4137,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /",
+            "destination": {
+                "port": 6789,
+                "bytes": 1176,
+                "ip": "127.0.0.1",
+                "packets": 15
+            },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
-            "destination": {
-                "port": 80,
-                "bytes": 4137,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "source": {
-                "port": 19456,
-                "bytes": 419,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/"
+                "port": 48904,
+                "bytes": 1479,
+                "ip": "127.0.0.1",
+                "packets": 12
             },
+            "type": "flow",
             "network": {
-                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
-                "protocol": "http",
-                "bytes": 4556,
+                "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=",
+                "bytes": 2655,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 27
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -2147,23 +576,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:10.631Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "hosts": [
-                    "www.test.co"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -2171,8 +591,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -2188,55 +608,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 19456,
-                "bytes": 419,
-                "ip": "34.86.203.82"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 419
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 3875,
-                        "content-type": "text/html"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "text/html",
-                    "bytes": 4137,
-                    "body": {
-                        "bytes": 3875
-                    }
-                },
-                "version": "1.1"
-            },
             "event": {
-                "duration": 477000,
+                "duration": 65343896149,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:10.631Z",
-                "end": "2024-06-21T11:16:10.632Z",
+                "start": "2024-07-01T10:48:40.364Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:45.708Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827320,
+                    "end": 1719827385
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -2244,12 +640,6 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 10306,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2257,13 +647,29 @@
                 "type": "packetbeat",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /images/pic01.jpg",
             "destination": {
-                "port": 80,
-                "bytes": 10306,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 7821,
+                "ip": "81.2.69.144",
+                "packets": 30
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2271,25 +677,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 19458,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/pic01.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/pic01.jpg"
+                "port": 45176,
+                "bytes": 332993,
+                "ip": "10.100.0.29",
+                "packets": 49
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:19gScwFqXOlar3be22Vn5xuAauQ=",
-                "bytes": 10675,
+                "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=",
+                "bytes": 340814,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 79
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -2298,12 +697,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
                 "service": {
                     "name": "GCE"
                 },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -2312,24 +711,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:10.792Z",
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -2337,8 +726,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -2354,56 +743,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 369
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 10064,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "image/jpeg",
-                    "bytes": 10306,
-                    "body": {
-                        "bytes": 10064
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19458,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
             "event": {
-                "duration": 251000,
+                "duration": 59712159075,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:10.792Z",
-                "end": "2024-06-21T11:16:10.792Z",
+                "start": "2024-07-01T10:48:41.388Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827321,
+                    "end": 1719827381
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -2411,12 +775,6 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 32868,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2424,39 +782,48 @@
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /assets/css/main.css",
-            "destination": {
-                "port": 80,
-                "bytes": 32868,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 5471,
+                "ip": "81.2.69.144",
+                "packets": 20
+            },
             "source": {
-                "port": 19456,
-                "bytes": 326,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/assets/css/main.css",
-                "extension": "css",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/assets/css/main.css"
+                "port": 56928,
+                "bytes": 23897,
+                "ip": "10.100.0.29",
+                "packets": 21
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
-                "bytes": 33194,
+                "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=",
+                "bytes": 29368,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 41
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -2479,24 +846,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:10.716Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -2509,11 +866,11 @@
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
-                "containerized": false,
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
+                "containerized": false,
                 "name": "webserver",
                 "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
@@ -2521,56 +878,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 326
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 32628,
-                        "content-type": "text/css"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "text/css",
-                    "bytes": 32868,
-                    "body": {
-                        "bytes": 32628
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19456,
-                "bytes": 326,
-                "ip": "34.86.203.82"
-            },
             "event": {
-                "duration": 84000,
+                "duration": 66879956683,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:10.716Z",
-                "end": "2024-06-21T11:16:10.716Z",
+                "start": "2024-07-01T10:48:41.388Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:48.268Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827321,
+                    "end": 1719827388
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -2578,26 +910,36 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 9145,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /images/pic02.jpg",
             "destination": {
-                "port": 80,
-                "bytes": 9145,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 12588,
+                "ip": "81.2.69.144",
+                "packets": 45
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2605,25 +947,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 19457,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/pic02.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/pic02.jpg"
+                "port": 49588,
+                "bytes": 182639,
+                "ip": "10.100.0.29",
+                "packets": 82
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:ioQAxWbr9FPVUa+VsG4oHAJkdqg=",
-                "bytes": 9514,
+                "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=",
+                "bytes": 195227,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 127
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -2632,12 +967,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
                 "service": {
                     "name": "GCE"
                 },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -2646,24 +981,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:10.795Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -2671,16 +996,16 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "family": "debian",
                     "type": "linux",
+                    "family": "debian",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
-                "containerized": false,
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
+                "containerized": false,
                 "name": "webserver",
                 "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
@@ -2688,56 +1013,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 19457,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 369
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 8904,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "image/jpeg",
-                    "bytes": 9145,
-                    "body": {
-                        "bytes": 8904
-                    }
-                },
-                "version": "1.1"
-            },
             "event": {
-                "duration": 41000,
+                "duration": 67392032290,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:10.795Z",
-                "end": "2024-06-21T11:16:10.795Z",
+                "start": "2024-07-01T10:48:41.900Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:49.292Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827321,
+                    "end": 1719827389
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -2745,12 +1045,6 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 9938,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2758,13 +1052,11 @@
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /images/pic03.jpg",
             "destination": {
-                "port": 80,
-                "bytes": 9938,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
+                "port": 6791,
+                "bytes": 6833,
+                "ip": "127.0.0.1",
+                "packets": 7
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2772,25 +1064,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 19461,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/pic03.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/pic03.jpg"
+                "port": 39856,
+                "bytes": 2310,
+                "ip": "127.0.0.1",
+                "packets": 14
             },
+            "type": "flow",
             "network": {
-                "community_id": "1:ggT7zC+LwNLXYYw3utRBpsMN+9w=",
-                "protocol": "http",
-                "bytes": 10307,
+                "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=",
+                "bytes": 9143,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 21
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -2813,24 +1098,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:10.796Z",
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -2838,8 +1113,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "family": "debian",
                     "type": "linux",
+                    "family": "debian",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -2855,56 +1130,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 369
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 9697,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "image/jpeg",
-                    "bytes": 9938,
-                    "body": {
-                        "bytes": 9697
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19461,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
             "event": {
-                "duration": 202000,
+                "duration": 59712056664,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:10.796Z",
-                "end": "2024-06-21T11:16:10.796Z",
+                "start": "2024-07-01T10:48:42.412Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:42.124Z",
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
                 "category": [
                     "network"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827322,
+                    "end": 1719827382
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
@@ -2912,12 +1162,6 @@
             }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 9338,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -2925,39 +1169,30 @@
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /assets/js/skel.min.js",
+            "destination": {
+                "port": 80,
+                "bytes": 25278,
+                "ip": "169.254.169.254",
+                "packets": 5
+            },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
-            "destination": {
-                "port": 80,
-                "bytes": 9338,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
             "source": {
-                "port": 19460,
-                "bytes": 313,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/assets/js/skel.min.js",
-                "extension": "js",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/assets/js/skel.min.js"
+                "port": 47598,
+                "bytes": 452,
+                "ip": "10.100.0.29",
+                "packets": 4
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:I2z0vpcqgfS252mqkW5mlrncpqY=",
-                "bytes": 9651,
+                "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=",
+                "bytes": 25730,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 9
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -2980,24 +1215,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:10.797Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -3022,56 +1247,31 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 313
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 9085,
-                        "content-type": "application/javascript"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/javascript",
-                    "bytes": 9338,
-                    "body": {
-                        "bytes": 9085
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19460,
-                "bytes": 313,
-                "ip": "34.86.203.82"
-            },
             "event": {
-                "duration": 233000,
+                "duration": 61759622403,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:10.797Z",
-                "end": "2024-06-21T11:16:10.797Z",
+                "start": "2024-07-01T10:48:42.924Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:44.684Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA"
             },
-            "status": "OK",
             "_conf": {
+                "event": {
+                    "start": 1719827322,
+                    "end": 1719827384
+                },
                 "endace_url": "https://test.test.local",
                 "endace_datasources": "tag:rotation-file",
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
index 41ecb814ea2..3f6cd30e700 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
@@ -1,24 +1,18 @@
 {
     "expected": [
         {
-            "server": {
-                "port": 80,
-                "bytes": 374,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /.env",
             "destination": {
-                "port": 80,
-                "bytes": 374,
-                "ip": "10.100.0.29"
+                "port": 48866,
+                "bytes": 1317,
+                "ip": "127.0.0.1",
+                "packets": 12
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -26,25 +20,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 46324,
-                "bytes": 230,
-                "ip": "57.129.23.166"
-            },
-            "type": "http",
-            "url": {
-                "path": "/.env",
-                "extension": "env",
-                "scheme": "http",
-                "domain": "34.147.158.4",
-                "full": "http://34.147.158.4/.env"
+                "port": 6789,
+                "bytes": 1108,
+                "ip": "127.0.0.1",
+                "packets": 14
             },
+            "type": "flow",
             "network": {
-                "community_id": "1:SUrUlAjDJgBojipINaXvE82MrcU=",
-                "protocol": "http",
-                "bytes": 604,
+                "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=",
+                "bytes": 2425,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 26
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -67,21 +54,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:18:18.358Z",
-            "related": {
-                "ip": [
-                    "57.129.23.166",
-                    "10.100.0.29",
-                    "34.147.158.4"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -94,11 +74,11 @@
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
+                "containerized": false,
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
-                "containerized": false,
                 "name": "webserver",
                 "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
@@ -106,101 +86,78 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 46324,
-                "bytes": 230,
-                "ip": "57.129.23.166"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 230
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 177,
-                        "content-type": "text/html"
-                    },
-                    "status_phrase": "not found",
-                    "status_code": 404,
-                    "mime_type": "text/html",
-                    "bytes": 374,
-                    "body": {
-                        "bytes": 177
-                    }
-                },
-                "version": "1.1"
-            },
             "event": {
-                "duration": 506000,
+                "duration": 64831956254,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:19Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:18:18.358Z",
-                "end": "2024-06-21T11:18:18.359Z",
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
+                "start": "2024-07-01T10:48:39.852Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:44.684Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830919852&end=1719830384684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
                 "category": [
                     "network"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4"
+            }
         },
         {
-            "server": {
-                "port": 80,
-                "bytes": 716,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "POST",
-            "query": "POST /",
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
             "destination": {
-                "port": 80,
-                "bytes": 716,
-                "ip": "10.100.0.29"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 680,
+                "ip": "81.2.69.144",
+                "packets": 10
             },
             "source": {
-                "port": 46390,
-                "bytes": 316,
-                "ip": "57.129.23.166"
-            },
-            "type": "http",
-            "url": {
-                "path": "/",
-                "scheme": "http",
-                "query": "0x%5B%5D=androxgh0st",
-                "domain": "34.147.158.4",
-                "full": "http://34.147.158.4/?0x%5B%5D=androxgh0st"
+                "port": 56370,
+                "bytes": 5211,
+                "ip": "10.100.0.29",
+                "packets": 10
             },
+            "type": "flow",
             "network": {
-                "community_id": "1:2X7Vc6YqRE4tl8APECPM4vuvaMA=",
-                "protocol": "http",
-                "bytes": 1032,
+                "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
+                "bytes": 5891,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 20
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -209,12 +166,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
                 "machine": {
                     "type": "t2d-standard-1"
                 },
+                "service": {
+                    "name": "GCE"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -223,21 +180,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:18:18.416Z",
-            "related": {
-                "ip": [
-                    "57.129.23.166",
-                    "10.100.0.29",
-                    "34.147.158.4"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -245,8 +195,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -262,71 +212,34 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 20,
-                        "content-type": "application/x-www-form-urlencoded"
-                    },
-                    "method": "POST",
-                    "bytes": 316,
-                    "body": {
-                        "bytes": 20
-                    }
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 559,
-                        "content-type": "text/html"
-                    },
-                    "status_code": 405,
-                    "status_phrase": "not allowed",
-                    "mime_type": "text/html",
-                    "bytes": 716,
-                    "body": {
-                        "bytes": 559
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 46390,
-                "bytes": 316,
-                "ip": "57.129.23.166"
-            },
             "event": {
-                "duration": 238000,
+                "duration": 60223908451,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:19Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:18:18.416Z",
-                "end": "2024-06-21T11:18:18.417Z",
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830919852&end=1719830380076&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:39.852Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:40.076Z",
                 "category": [
                     "network"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36"
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
+            }
         },
         {
-            "server": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
             "elastic_agent": {
@@ -335,25 +248,42 @@
                 "snapshot": false
             },
             "destination": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 9672,
+                "ip": "81.2.69.144",
+                "packets": 45
             },
             "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "type": "http",
-            "error": {
-                "message": "Unmatched response"
+                "port": 60098,
+                "bytes": 547639,
+                "ip": "10.100.0.29",
+                "packets": 66
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 25084,
+                "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=",
+                "bytes": 557311,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 111
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -376,20 +306,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:18:18.465Z",
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -397,8 +321,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "family": "debian",
                     "type": "linux",
+                    "family": "debian",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -414,48 +338,29 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
             "event": {
+                "duration": 60736169344,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:19Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "end": "2024-06-21T11:18:18.465Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830920363&end=1719830381100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:40.363Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE"
+            }
         },
         {
-            "server": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -469,25 +374,42 @@
                 "snapshot": false
             },
             "destination": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 1954,
+                "ip": "81.2.69.144",
+                "packets": 6
             },
             "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
+                "port": 55960,
+                "bytes": 7775,
+                "ip": "10.100.0.29",
+                "packets": 7
             },
-            "type": "http",
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "bytes": 25084,
+                "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=",
+                "bytes": 9729,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 13
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -496,12 +418,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
                 "machine": {
                     "type": "t2d-standard-1"
                 },
+                "service": {
+                    "name": "GCE"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -510,20 +432,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:18:15.709Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -531,8 +447,8 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
@@ -548,47 +464,29 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
             "event": {
+                "duration": 60735918914,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:18:17Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "end": "2024-06-21T11:18:15.709Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830920364&end=1719830381100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:40.364Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE"
+            }
         },
         {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -596,11 +494,11 @@
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1//",
             "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
+                "port": 6789,
+                "bytes": 1176,
+                "ip": "127.0.0.1",
+                "packets": 15
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -608,28 +506,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "error": {
-                "message": "Unmatched request"
-            },
-            "type": "http",
-            "url": {
-                "path": "/computeMetadata/v1//",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+                "port": 48904,
+                "bytes": 1479,
+                "ip": "127.0.0.1",
+                "packets": 12
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 228,
+                "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=",
+                "bytes": 2655,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 27
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -652,20 +540,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:17:18.451Z",
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -690,58 +572,59 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 228
-                },
-                "version": "1.1"
-            },
             "event": {
+                "duration": 65343896149,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:32Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:17:18.451Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830920364&end=1719830385708&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
+                "start": "2024-07-01T10:48:40.364Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:45.708Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo"
+            }
         },
         {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1/",
             "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 7821,
+                "ip": "81.2.69.144",
+                "packets": 30
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -749,28 +632,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
-            "error": {
-                "message": "Unmatched request"
-            },
-            "type": "http",
-            "url": {
-                "path": "/computeMetadata/v1/",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+                "port": 45176,
+                "bytes": 332993,
+                "ip": "10.100.0.29",
+                "packets": 49
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "bytes": 227,
+                "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=",
+                "bytes": 340814,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 79
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -779,12 +652,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
                 "service": {
                     "name": "GCE"
                 },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -793,20 +666,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:17:15.695Z",
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -831,52 +698,34 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 227
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
             "event": {
+                "duration": 59712159075,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:32Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:17:15.695Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830921388&end=1719830381100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:41.388Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
+                "dataset": "endace.flow"
             },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
+            }
         },
         {
-            "server": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
             "elastic_agent": {
@@ -885,25 +734,42 @@
                 "snapshot": false
             },
             "destination": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 5471,
+                "ip": "81.2.69.144",
+                "packets": 20
             },
             "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
+                "port": 56928,
+                "bytes": 23897,
+                "ip": "10.100.0.29",
+                "packets": 21
             },
-            "type": "http",
+            "type": "flow",
             "network": {
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "protocol": "http",
-                "bytes": 25084,
+                "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=",
+                "bytes": 29368,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 41
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -926,20 +792,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:17:18.450Z",
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -947,16 +807,16 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "type": "linux",
                     "family": "debian",
+                    "type": "linux",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
-                "containerized": false,
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
+                "containerized": false,
                 "name": "webserver",
                 "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
@@ -964,48 +824,29 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
             "event": {
+                "duration": 66879956683,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:19Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "end": "2024-06-21T11:17:18.450Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830921388&end=1719830388268&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:41.388Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:48.268Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
+            }
         },
         {
-            "server": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -1013,31 +854,48 @@
                 "type": "packetbeat",
                 "version": "8.9.1"
             },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 12588,
+                "ip": "81.2.69.144",
+                "packets": 45
+            },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "version": "8.9.1",
                 "snapshot": false
             },
-            "destination": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
             "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
+                "port": 49588,
+                "bytes": 182639,
+                "ip": "10.100.0.29",
+                "packets": 82
             },
-            "type": "http",
+            "type": "flow",
             "network": {
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "protocol": "http",
-                "bytes": 25084,
+                "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=",
+                "bytes": 195227,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 127
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1046,12 +904,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
                 "service": {
                     "name": "GCE"
                 },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -1060,20 +918,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:17:15.695Z",
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -1081,16 +933,16 @@
                     "kernel": "5.10.0-27-cloud-amd64",
                     "codename": "bullseye",
                     "name": "Debian GNU/Linux",
-                    "family": "debian",
                     "type": "linux",
+                    "family": "debian",
                     "version": "11 (bullseye)",
                     "platform": "debian"
                 },
-                "containerized": false,
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
+                "containerized": false,
                 "name": "webserver",
                 "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
@@ -1098,59 +950,41 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
             "event": {
+                "duration": 67392032290,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:17:16Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "end": "2024-06-21T11:17:15.695Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830921900&end=1719830389292&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:41.900Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:49.292Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE"
+            }
         },
         {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1//",
             "destination": {
-                "port": 80,
-                "ip": "169.254.169.254"
+                "port": 6791,
+                "bytes": 6833,
+                "ip": "127.0.0.1",
+                "packets": 7
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -1158,28 +992,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "error": {
-                "message": "Unmatched request"
-            },
-            "type": "http",
-            "url": {
-                "path": "/computeMetadata/v1//",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1//?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+                "port": 39856,
+                "bytes": 2310,
+                "ip": "127.0.0.1",
+                "packets": 14
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 228,
+                "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=",
+                "bytes": 9143,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 21
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1202,20 +1026,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:18.436Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -1240,46 +1058,29 @@
                 ],
                 "architecture": "x86_64"
             },
-            "client": {
-                "port": 35176,
-                "bytes": 228,
-                "ip": "10.100.0.29"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 228
-                },
-                "version": "1.1"
-            },
             "event": {
+                "duration": 59712056664,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:33Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:18.436Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830922412&end=1719830382124&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
+                "start": "2024-07-01T10:48:42.412Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:42.124Z",
+                "type": [
+                    "connection"
+                ],
                 "category": [
                     "network"
                 ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
+                "dataset": "endace.flow"
             },
-            "status": "Error"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs"
+            }
         },
         {
-            "server": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
             "agent": {
                 "name": "webserver",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -1287,11 +1088,11 @@
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "method": "GET",
-            "query": "GET /computeMetadata/v1/",
             "destination": {
                 "port": 80,
-                "ip": "169.254.169.254"
+                "bytes": 25278,
+                "ip": "169.254.169.254",
+                "packets": 5
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
@@ -1299,28 +1100,18 @@
                 "snapshot": false
             },
             "source": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
-            "type": "http",
-            "error": {
-                "message": "Unmatched request"
-            },
-            "url": {
-                "path": "/computeMetadata/v1/",
-                "scheme": "http",
-                "domain": "169.254.169.254",
-                "query": "alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true",
-                "full": "http://169.254.169.254/computeMetadata/v1/?alt=json&last_etag=6797782f559e8a44&recursive=true&timeout_sec=60&wait_for_change=true"
+                "port": 47598,
+                "bytes": 452,
+                "ip": "10.100.0.29",
+                "packets": 4
             },
+            "type": "flow",
             "network": {
-                "protocol": "http",
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "bytes": 227,
+                "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=",
+                "bytes": 25730,
                 "transport": "tcp",
                 "type": "ipv4",
-                "direction": "ingress"
+                "packets": 9
             },
             "cloud": {
                 "availability_zone": "europe-west2-c",
@@ -1329,12 +1120,12 @@
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
                 "service": {
                     "name": "GCE"
                 },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
                 "project": {
                     "id": "elastic-sa"
                 },
@@ -1343,20 +1134,14 @@
                     "id": "elastic-sa"
                 }
             },
-            "@timestamp": "2024-06-21T11:16:15.680Z",
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "ecs": {
                 "version": "8.11.0"
             },
-            "related": {
-                "ip": [
-                    "10.100.0.29",
-                    "169.254.169.254"
-                ]
-            },
             "data_stream": {
                 "namespace": "webserver",
                 "type": "logs",
-                "dataset": "network_traffic.http"
+                "dataset": "endace.flow"
             },
             "host": {
                 "hostname": "webserver",
@@ -1381,1602 +1166,27 @@
                 ],
                 "architecture": "x86_64"
             },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 227
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 35164,
-                "bytes": 227,
-                "ip": "10.100.0.29"
-            },
             "event": {
+                "duration": 61759622403,
                 "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:33Z",
+                "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "start": "2024-06-21T11:16:15.680Z",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830922924&end=1719830384684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%26169.254.169.254",
+                "start": "2024-07-01T10:48:42.924Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:44.684Z",
                 "category": [
                     "network"
                 ],
                 "type": [
-                    "connection",
-                    "protocol"
+                    "connection"
                 ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Go-http-client/1.1"
-            },
-            "status": "Error"
-        },
-        {
-            "server": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "destination": {
-                "port": 35176,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
-            },
-            "type": "http",
-            "network": {
-                "protocol": "http",
-                "community_id": "1:njSdxqEp4qgf9e7i1wsAk4CMMN0=",
-                "bytes": 25084,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "service": {
-                    "name": "GCE"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:18.434Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "containerized": false,
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:19Z",
-                "kind": "event",
-                "end": "2024-06-21T11:16:18.434Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "status": "Error"
-        },
-        {
-            "server": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "destination": {
-                "port": 35164,
-                "bytes": 25084,
-                "ip": "10.100.0.29"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "error": {
-                "message": "Unmatched response"
-            },
-            "type": "http",
-            "network": {
-                "community_id": "1:KM3GdIA1KtInDzMvpMBTvN6gFis=",
-                "protocol": "http",
-                "bytes": 25084,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:15.679Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "ip": [
-                    "169.254.169.254",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 80,
-                "ip": "169.254.169.254"
-            },
-            "http": {
-                "response": {
-                    "headers": {
-                        "content-length": 24794,
-                        "content-type": "application/json"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/json",
-                    "bytes": 25084,
-                    "body": {
-                        "bytes": 24794
-                    }
-                }
-            },
-            "event": {
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:16Z",
-                "kind": "event",
-                "end": "2024-06-21T11:16:15.679Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "status": "Error"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 38106,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /images/bg.jpg",
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 80,
-                "bytes": 38106,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
-            "source": {
-                "port": 1541,
-                "bytes": 385,
-                "ip": "35.244.92.47"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/bg.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/bg.jpg"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:Awz6GFqwC6DyvBuaB+al4It7yAY=",
-                "bytes": 38491,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:12.734Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/assets/css/main.css"
-                ],
-                "ip": [
-                    "35.244.92.47",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 1541,
-                "bytes": 385,
-                "ip": "35.244.92.47"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/assets/css/main.css",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 385
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 37864,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "image/jpeg",
-                    "bytes": 38106,
-                    "body": {
-                        "bytes": 37864
-                    }
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "duration": 113000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:14Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:12.734Z",
-                "end": "2024-06-21T11:16:12.734Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 72153,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /assets/fonts/fontawesome-webfont.woff2",
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 80,
-                "bytes": 72153,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "source": {
-                "port": 1539,
-                "bytes": 402,
-                "ip": "35.244.92.47"
-            },
-            "type": "http",
-            "url": {
-                "path": "/assets/fonts/fontawesome-webfont.woff2",
-                "extension": "woff2",
-                "scheme": "http",
-                "query": "v=4.6.3",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/assets/fonts/fontawesome-webfont.woff2?v=4.6.3"
-            },
-            "network": {
-                "community_id": "1:gPM3VQvPa/AoaH6Pynie+9K8/a4=",
-                "protocol": "http",
-                "bytes": 72555,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:12.783Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/assets/css/font-awesome.min.css"
-                ],
-                "ip": [
-                    "35.244.92.47",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 1539,
-                "bytes": 402,
-                "ip": "35.244.92.47"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "referrer": "http://www.test.co/assets/css/font-awesome.min.css",
-                    "method": "GET",
-                    "bytes": 402
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 71896,
-                        "content-type": "application/octet-stream"
-                    },
-                    "status_code": 200,
-                    "status_phrase": "ok",
-                    "mime_type": "application/octet-stream",
-                    "bytes": 72153,
-                    "body": {
-                        "bytes": 71896
-                    }
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "duration": 61000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:14Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:12.783Z",
-                "end": "2024-06-21T11:16:12.783Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 4137,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /",
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 80,
-                "bytes": 4137,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "source": {
-                "port": 19456,
-                "bytes": 419,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/"
-            },
-            "network": {
-                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
-                "protocol": "http",
-                "bytes": 4556,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:10.631Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "hosts": [
-                    "www.test.co"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 19456,
-                "bytes": 419,
-                "ip": "34.86.203.82"
-            },
-            "http": {
-                "request": {
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 419
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 3875,
-                        "content-type": "text/html"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "text/html",
-                    "bytes": 4137,
-                    "body": {
-                        "bytes": 3875
-                    }
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "duration": 477000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:10.631Z",
-                "end": "2024-06-21T11:16:10.632Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 10306,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "type": "packetbeat",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /images/pic01.jpg",
-            "destination": {
-                "port": 80,
-                "bytes": 10306,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 19458,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/pic01.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/pic01.jpg"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:19gScwFqXOlar3be22Vn5xuAauQ=",
-                "bytes": 10675,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "service": {
-                    "name": "GCE"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:10.792Z",
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 369
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 10064,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "image/jpeg",
-                    "bytes": 10306,
-                    "body": {
-                        "bytes": 10064
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19458,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "event": {
-                "duration": 251000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:10.792Z",
-                "end": "2024-06-21T11:16:10.792Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 32868,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /assets/css/main.css",
-            "destination": {
-                "port": 80,
-                "bytes": 32868,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 19456,
-                "bytes": 326,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/assets/css/main.css",
-                "extension": "css",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/assets/css/main.css"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:yJ0rbgFBC3faJY1GlmrXdwvTHUg=",
-                "bytes": 33194,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:10.716Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 326
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 32628,
-                        "content-type": "text/css"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "text/css",
-                    "bytes": 32868,
-                    "body": {
-                        "bytes": 32628
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19456,
-                "bytes": 326,
-                "ip": "34.86.203.82"
-            },
-            "event": {
-                "duration": 84000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:10.716Z",
-                "end": "2024-06-21T11:16:10.716Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 9145,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /images/pic02.jpg",
-            "destination": {
-                "port": 80,
-                "bytes": 9145,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 19457,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/pic02.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/pic02.jpg"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:ioQAxWbr9FPVUa+VsG4oHAJkdqg=",
-                "bytes": 9514,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "service": {
-                    "name": "GCE"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:10.795Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "client": {
-                "port": 19457,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 369
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 8904,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "image/jpeg",
-                    "bytes": 9145,
-                    "body": {
-                        "bytes": 8904
-                    }
-                },
-                "version": "1.1"
-            },
-            "event": {
-                "duration": 41000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:10.795Z",
-                "end": "2024-06-21T11:16:10.795Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 9938,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /images/pic03.jpg",
-            "destination": {
-                "port": 80,
-                "bytes": 9938,
-                "domain": "www.test.co",
-                "ip": "10.100.0.29"
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 19461,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/images/pic03.jpg",
-                "extension": "jpg",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/images/pic03.jpg"
-            },
-            "network": {
-                "community_id": "1:ggT7zC+LwNLXYYw3utRBpsMN+9w=",
-                "protocol": "http",
-                "bytes": 10307,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:10.796Z",
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 369
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 9697,
-                        "content-type": "image/jpeg"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "image/jpeg",
-                    "bytes": 9938,
-                    "body": {
-                        "bytes": 9697
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19461,
-                "bytes": 369,
-                "ip": "34.86.203.82"
-            },
-            "event": {
-                "duration": 202000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:10.796Z",
-                "end": "2024-06-21T11:16:10.796Z",
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "category": [
-                    "network"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
-            },
-            "status": "OK"
-        },
-        {
-            "server": {
-                "port": 80,
-                "bytes": 9338,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
-            },
-            "method": "GET",
-            "query": "GET /assets/js/skel.min.js",
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "port": 80,
-                "bytes": 9338,
-                "ip": "10.100.0.29",
-                "domain": "www.test.co"
-            },
-            "source": {
-                "port": 19460,
-                "bytes": 313,
-                "ip": "34.86.203.82"
-            },
-            "type": "http",
-            "url": {
-                "path": "/assets/js/skel.min.js",
-                "extension": "js",
-                "scheme": "http",
-                "domain": "www.test.co",
-                "full": "http://www.test.co/assets/js/skel.min.js"
-            },
-            "network": {
-                "protocol": "http",
-                "community_id": "1:I2z0vpcqgfS252mqkW5mlrncpqY=",
-                "bytes": 9651,
-                "transport": "tcp",
-                "type": "ipv4",
-                "direction": "ingress"
-            },
-            "cloud": {
-                "availability_zone": "europe-west2-c",
-                "instance": {
-                    "name": "jamesgarside-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
-                },
-                "machine": {
-                    "type": "t2d-standard-1"
-                },
-                "project": {
-                    "id": "elastic-sa"
-                },
-                "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
-                }
-            },
-            "@timestamp": "2024-06-21T11:16:10.797Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
-            "related": {
-                "hosts": [
-                    "www.test.co",
-                    "http://www.test.co/"
-                ],
-                "ip": [
-                    "34.86.203.82",
-                    "10.100.0.29"
-                ]
-            },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "network_traffic.http"
-            },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
-            },
-            "http": {
-                "request": {
-                    "referrer": "http://www.test.co/",
-                    "headers": {
-                        "content-length": 0
-                    },
-                    "method": "GET",
-                    "bytes": 313
-                },
-                "response": {
-                    "headers": {
-                        "content-length": 9085,
-                        "content-type": "application/javascript"
-                    },
-                    "status_phrase": "ok",
-                    "status_code": 200,
-                    "mime_type": "application/javascript",
-                    "bytes": 9338,
-                    "body": {
-                        "bytes": 9085
-                    }
-                },
-                "version": "1.1"
-            },
-            "client": {
-                "port": 19460,
-                "bytes": 313,
-                "ip": "34.86.203.82"
-            },
-            "event": {
-                "duration": 233000,
-                "agent_id_status": "verified",
-                "ingested": "2024-06-21T11:16:11Z",
-                "kind": "event",
-                "start": "2024-06-21T11:16:10.797Z",
-                "end": "2024-06-21T11:16:10.797Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection",
-                    "protocol"
-                ],
-                "dataset": "network_traffic.http",
-                "reference": ""
-            },
-            "user_agent": {
-                "original": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/124.0.6367.29 Safari/537.36 Elastic/Synthetics"
+                "dataset": "endace.flow"
             },
-            "status": "OK"
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA"
+            }
         }
     ]
 }
\ No newline at end of file

From b4bb6a8da4a14c6a966a442643e54fcef9905ddb Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Mon, 1 Jul 2024 12:58:11 +0100
Subject: [PATCH 05/23] Modified owner in manifest

---
 packages/endace/manifest.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/endace/manifest.yml b/packages/endace/manifest.yml
index 929632bf8ee..09d88daff8c 100644
--- a/packages/endace/manifest.yml
+++ b/packages/endace/manifest.yml
@@ -96,5 +96,5 @@ agent:
   privileges:
     root: true
 owner:
-  github: elastic/integrations
+  github: elastic/sec-deployment-and-devices
   type: partner

From 76544dbd7d8732501b2da1ea751d1667b949a8b9 Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Mon, 1 Jul 2024 13:48:27 +0100
Subject: [PATCH 06/23] Removed test data scripts

---
 .../endace/data_stream/flow/_dev/add_field.py | 71 -------------------
 .../system/test-http-get-2k-file-config.yml   |  2 +-
 .../test/system/test-icmp-2-pings-config.yml  |  2 +-
 .../endace/data_stream/log/_dev/add_field.py  | 48 -------------
 .../_dev/test/system/test-netflow-config.yml  |  1 -
 packages/endace/manifest.yml                  |  1 -
 6 files changed, 2 insertions(+), 123 deletions(-)
 delete mode 100644 packages/endace/data_stream/flow/_dev/add_field.py
 delete mode 100644 packages/endace/data_stream/log/_dev/add_field.py

diff --git a/packages/endace/data_stream/flow/_dev/add_field.py b/packages/endace/data_stream/flow/_dev/add_field.py
deleted file mode 100644
index d6564a5cd47..00000000000
--- a/packages/endace/data_stream/flow/_dev/add_field.py
+++ /dev/null
@@ -1,71 +0,0 @@
-import json, os, collections
-from datetime import datetime
-import time
-
-events_path = os.getcwd() + "/data_stream/flow/_dev/test/pipeline/test-flow-events.json"
-expected_events_path = os.getcwd() + "/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json"
-
-with open(events_path, 'r') as f:
-    events = json.load(f, object_pairs_hook=collections.OrderedDict)
-
-with open(expected_events_path, 'r') as ef:
-    expected_events = json.load(ef, object_pairs_hook=collections.OrderedDict)
-
-
-def remove_metadata():
-    new_events = {"events":[]}
-    for event in events['events']:
-        if '_source' in event:
-            new_events['events'].append(event['_source'])
-            
-    return new_events
-
-def process_events():
-    for event in events['events']:
-        if '_conf' not in event:
-            event['_conf'] = {}
-            event['_conf']['event'] = {}
-        event['_conf']['endace_url'] = 'https://test.test.local'
-        event['_conf']['endace_datasources'] = 'tag:rotation-file'
-        event['_conf']['endace_tools'] = 'trafficOverTime_by_app,conversations_by_ipaddress'
-        event['_conf']['endace_lookback'] = 10
-
-
-        # Convert event.start to epoch
-        if 'event' in event and 'start' in event['event']:
-            start_str = event['event']['start']
-            # Assuming the date format is ISO 8601, e.g., "2023-01-01T00:00:00Z"
-            start_dt = datetime.strptime(start_str, "%Y-%m-%dT%H:%M:%S.%fZ")
-            event['_conf']['event']['start'] = int(time.mktime(start_dt.timetuple()))
-
-        # Convert event.end to epoch
-        if 'event' in event and 'end' in event['event']:
-            end_str = event['event']['end']
-            # Assuming the date format is ISO 8601, e.g., "2023-01-01T00:00:00Z"
-            end_dt = datetime.strptime(end_str, "%Y-%m-%dT%H:%M:%S.%fZ")
-            event['_conf']['event']['end'] = int(time.mktime(end_dt.timetuple()))
-
-
-def process_expected_events():
-    for event in expected_events['expected']:
-        if '_conf' in event:
-            del event['_conf']
-        event['ecs']['version'] = "8.11.0"
-    # expected_events['expected'] = expected_events.pop('events')
-
-
-
-process_events()
-
-process_expected_events()
-
-# events = remove_metadata()
-# Write Events            
-with open(events_path, 'w') as f:
-    json.dump(events, f, indent=4)
-
-
-# Write Expected Events            
-with open(expected_events_path, 'w') as ef:
-    json.dump(expected_events, ef, indent=4)
-
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
index 2cbfac50130..8ef53febd04 100644
--- a/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-http-get-2k-file-config.yml
@@ -4,4 +4,4 @@ input: packet
 data_stream:
   vars:
     period: '-1s'
-    endace_url: 'http://test.elastic.co'
\ No newline at end of file
+    endace_url: 'http://test.elastic.co'
diff --git a/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
index d288467b690..8011263401d 100644
--- a/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
+++ b/packages/endace/data_stream/flow/_dev/test/system/test-icmp-2-pings-config.yml
@@ -5,4 +5,4 @@ data_stream:
   vars:
     timeout: '5s'
     period: '-1s'
-    endace_url: 'http://test.elastic.co'
\ No newline at end of file
+    endace_url: 'http://test.elastic.co'
diff --git a/packages/endace/data_stream/log/_dev/add_field.py b/packages/endace/data_stream/log/_dev/add_field.py
deleted file mode 100644
index 03f94518a03..00000000000
--- a/packages/endace/data_stream/log/_dev/add_field.py
+++ /dev/null
@@ -1,48 +0,0 @@
-import json, os, collections, copy
-
-
-
-events_path = os.getcwd() + "/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json"
-expected_events_path = os.getcwd() + "/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json"
-
-with open(events_path, 'r') as f:
-    events = json.load(f, object_pairs_hook=collections.OrderedDict)
-
-with open(expected_events_path, 'r') as ef:
-    expected_events = json.load(ef, object_pairs_hook=collections.OrderedDict)
-
-
-# expected_events = copy.deepcopy(events)
-
-def process_events():
-    for event in events['events']:
-        if '_conf' not in event:
-            event['_conf'] = {}
-        event['_conf']['endace_url'] = 'https://test.test.local'
-        event['_conf']['endace_datasources'] = 'tag:rotation-file'
-        event['_conf']['endace_tools'] = 'trafficOverTime_by_app,conversations_by_ipaddress'
-        event['_conf']['endace_lookback'] = 10
-
-
-def process_expected_events():
-    for event in expected_events['expected']:
-        if '_conf' in event:
-            del event['_conf']
-    # expected_events['expected'] = expected_events.pop('events')
-
-
-
-process_events()
-
-process_expected_events()
-
-
-# Write Events            
-with open(events_path, 'w') as f:
-    json.dump(events, f, indent=4)
-
-
-# Write Expected Events            
-with open(expected_events_path, 'w') as ef:
-    json.dump(expected_events, ef, indent=4)
-
diff --git a/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
index 80cb30b3000..edd4b1d7b20 100644
--- a/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
+++ b/packages/endace/data_stream/log/_dev/test/system/test-netflow-config.yml
@@ -6,6 +6,5 @@ data_stream:
     host: 0.0.0.0
     port: 2055
     endace_url: 'http://test.elastic.co'
-
 numeric_keyword_fields:
   - network.iana_number
diff --git a/packages/endace/manifest.yml b/packages/endace/manifest.yml
index 09d88daff8c..d5cb0ab1372 100644
--- a/packages/endace/manifest.yml
+++ b/packages/endace/manifest.yml
@@ -58,7 +58,6 @@ vars:
     required: true
     show_user: false
     default: "10"
-
 policy_templates:
   - name: endace
     title: Endace Flow logs

From 2ccdfd8222d08f4647bd728162a64948605dbb14 Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Tue, 2 Jul 2024 18:08:27 +0100
Subject: [PATCH 07/23] Extended test coverage

---
 .../_dev/test/pipeline/test-flow-events.json  | 18 ++++++
 .../test-flow-events.json-expected.json       | 57 ++++++++++++-------
 2 files changed, 56 insertions(+), 19 deletions(-)

diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
index 6ff73b1c9f2..d7270a02237 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
@@ -221,6 +221,14 @@
                 ],
                 "architecture": "x86_64"
             },
+            "observer": {
+                "hostname": "webserver",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "ip": ["10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"]
+            },
             "event": {
                 "duration": 60223908451,
                 "agent_id_status": "verified",
@@ -242,6 +250,8 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
             },
             "_conf": {
+                "map_to_ecs": true,
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827319,
                     "end": 1719827380
@@ -377,6 +387,7 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827320,
                     "end": 1719827381
@@ -512,6 +523,7 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827320,
                     "end": 1719827381
@@ -629,6 +641,7 @@
                 "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827320,
                     "end": 1719827385
@@ -764,6 +777,7 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827321,
                     "end": 1719827381
@@ -899,6 +913,7 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827321,
                     "end": 1719827388
@@ -1034,6 +1049,7 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827321,
                     "end": 1719827389
@@ -1151,6 +1167,7 @@
                 "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827322,
                     "end": 1719827382
@@ -1268,6 +1285,7 @@
                 "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA"
             },
             "_conf": {
+                "geoip_enrich": true,
                 "event": {
                     "start": 1719827322,
                     "end": 1719827384
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
index 3f6cd30e700..3fbaaae002f 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
@@ -129,8 +129,8 @@
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.093,
-                        "lat": 51.5088
+                        "lon": -0.0931,
+                        "lat": 51.5142
                     },
                     "region_name": "England"
                 },
@@ -151,7 +151,6 @@
                 "ip": "10.100.0.29",
                 "packets": 10
             },
-            "type": "flow",
             "network": {
                 "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
                 "bytes": 5891,
@@ -212,6 +211,25 @@
                 ],
                 "architecture": "x86_64"
             },
+            "observer": {
+                "hostname": "webserver",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ]
+            },
+            "related": {
+                "hosts": [                    
+                    "webserver"
+                ],
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ]
+            },
             "event": {
                 "duration": 60223908451,
                 "agent_id_status": "verified",
@@ -226,13 +244,14 @@
                 ],
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
-            "flow": {
-                "final": false,
-                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
-            }
+            "network_traffic": {
+                "flow": {
+                    "final": false,
+                    "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
+                }
+           }
         },
         {
             "agent": {
@@ -255,8 +274,8 @@
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.093,
-                        "lat": 51.5088
+                        "lon": -0.0931,
+                        "lat": 51.5142
                     },
                     "region_name": "England"
                 },
@@ -381,8 +400,8 @@
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.093,
-                        "lat": 51.5088
+                        "lon": -0.0931,
+                        "lat": 51.5142
                     },
                     "region_name": "England"
                 },
@@ -610,8 +629,8 @@
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.093,
-                        "lat": 51.5088
+                        "lon": -0.0931,
+                        "lat": 51.5142
                     },
                     "region_name": "England"
                 },
@@ -741,8 +760,8 @@
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.093,
-                        "lat": 51.5088
+                        "lon": -0.0931,
+                        "lat": 51.5142
                     },
                     "region_name": "England"
                 },
@@ -862,8 +881,8 @@
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.093,
-                        "lat": 51.5088
+                        "lon": -0.0931,
+                        "lat": 51.5142
                     },
                     "region_name": "England"
                 },

From 03697e045c6779c32bec40cb2f3dc5b63cf31f38 Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Thu, 4 Jul 2024 11:22:01 +0100
Subject: [PATCH 08/23] Update changelog.yml

---
 packages/endace/changelog.yml | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/packages/endace/changelog.yml b/packages/endace/changelog.yml
index fe168b1461e..0d753a1ea15 100644
--- a/packages/endace/changelog.yml
+++ b/packages/endace/changelog.yml
@@ -1,16 +1,6 @@
 # newer versions go on top
-- version: "0.0.4"
-  changes:
-    - description: Initial draft of the package
-      type: enhancement
-      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
-- version: "0.0.3"
-  changes:
-    - description: Initial draft of the package
-      type: enhancement
-      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
 - version: "0.0.1"
   changes:
     - description: Initial draft of the package
       type: enhancement
-      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
+      link: https://github.com/elastic/integrations/pull/10308

From ec2ddea3d10f79f38a170147d9d15e49b1b83efe Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Thu, 4 Jul 2024 11:22:26 +0100
Subject: [PATCH 09/23] Update changelog.yml

---
 packages/endace/changelog.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/endace/changelog.yml b/packages/endace/changelog.yml
index 0d753a1ea15..fc8030cfebb 100644
--- a/packages/endace/changelog.yml
+++ b/packages/endace/changelog.yml
@@ -1,5 +1,5 @@
 # newer versions go on top
-- version: "0.0.1"
+- version: "0.1.0"
   changes:
     - description: Initial draft of the package
       type: enhancement

From e9452279e418d2e10ddd2d40797a33bdfd092fb1 Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Thu, 4 Jul 2024 11:24:16 +0100
Subject: [PATCH 10/23] Update
 packages/endace/_dev/deploy/docker/docker-compose.yml

Co-authored-by: Michael Wolf <michael.wolf@elastic.co>
---
 packages/endace/_dev/deploy/docker/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/endace/_dev/deploy/docker/docker-compose.yml b/packages/endace/_dev/deploy/docker/docker-compose.yml
index adbdde59baf..2bd8a11a137 100644
--- a/packages/endace/_dev/deploy/docker/docker-compose.yml
+++ b/packages/endace/_dev/deploy/docker/docker-compose.yml
@@ -7,7 +7,7 @@ services:
       - ${SERVICE_LOGS_DIR}:/pcaps
     command: /bin/sh -c "cp /sample_pcaps/* /pcaps/"
   netflow-log-netflow:
-    image: akroh/stream:v0.0.1
+    image: docker.elastic.co/observability/stream:v0.16.0
     volumes:
       - ./sample_logs:/sample_logs:ro
     command: pcap --start-signal=SIGHUP --delay=5s --addr elastic-agent:2055 -p=udp /sample_logs/ipfix_cisco.pcap

From 540056a5d16d104080c89c56377be11471b52eb3 Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Fri, 5 Jul 2024 18:05:25 +0100
Subject: [PATCH 11/23] Fixed proposed changes

---
 .../_dev/test/pipeline/test-flow-events.json  | 20 +++++++++----------
 .../test-flow-events.json-expected.json       | 20 +++++++++----------
 .../flow/agent/stream/flow.yml.hbs            |  3 +++
 .../elasticsearch/ingest_pipeline/endace.yml  |  9 +++++++++
 .../log/agent/stream/netflow.yml.hbs          |  4 +++-
 5 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
index d7270a02237..5ec8072018d 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
@@ -36,7 +36,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -171,7 +171,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -316,7 +316,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -452,7 +452,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -570,7 +570,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -706,7 +706,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -842,7 +842,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -978,7 +978,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -1096,7 +1096,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -1214,7 +1214,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
index 3fbaaae002f..dd8b84dfb5a 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
@@ -36,7 +36,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -161,7 +161,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -307,7 +307,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -433,7 +433,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -541,7 +541,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -667,7 +667,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -793,7 +793,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -919,7 +919,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -1027,7 +1027,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
@@ -1135,7 +1135,7 @@
             "cloud": {
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "jamesgarside-security-demo-websever",
+                    "name": "test-security-demo-websever",
                     "id": "5975790316485631173"
                 },
                 "provider": "gcp",
diff --git a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
index 58d32879557..b9d7f96042c 100644
--- a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
+++ b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
@@ -11,6 +11,9 @@ fields:
     geoip_enrich: {{geoip_enrich}}
     map_to_ecs: {{map_to_ecs}}
     endace_url: {{ endace_url }}
+    endace_datasources: {{ endace_datasources }}
+    endace_tools: {{ endace_tools }}
+    endace_lookback" {{ endace_lookback }}
 {{#if tags}}
 tags:
 {{#each tags as |tag|}}
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
index 5b2d4d1a287..0bdad9bf488 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
@@ -68,3 +68,12 @@ processors:
       ignore_empty_value: true
       tag: endace reference url
       if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+
+on_failure:
+  - append:
+      field: error.message
+      value: |-
+          Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
+  - set:
+      field: event.kind
+      value: pipeline_error
diff --git a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
index cf0bb64390f..7bdd7a14314 100644
--- a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
+++ b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
@@ -36,7 +36,9 @@ processors:
     target: "_conf"
     fields:
       endace_url: {{ endace_url }}
-      test: "test"
+      endace_datasources: {{ endace_datasources }}
+      endace_tools: {{ endace_tools }}
+      endace_lookback" {{ endace_lookback }}
 {{#if processors}}
 {{processors}}
 {{/if}}

From d5afd1ed0f9e3b2f571a5c797d89bfad5e4d8cf6 Mon Sep 17 00:00:00 2001
From: James Garside <james.garside@elastic.co>
Date: Mon, 8 Jul 2024 19:20:23 +0100
Subject: [PATCH 12/23] Updated README

---
 packages/endace/_dev/build/docs/README.md     | 40 ++++++-------------
 .../flow/agent/stream/flow.yml.hbs            |  2 +-
 .../log/agent/stream/netflow.yml.hbs          |  2 +-
 packages/endace/docs/README.md                | 40 ++++++-------------
 packages/endace/manifest.yml                  |  2 +-
 5 files changed, 29 insertions(+), 57 deletions(-)

diff --git a/packages/endace/_dev/build/docs/README.md b/packages/endace/_dev/build/docs/README.md
index 6bb259983a7..9a6460ee4b9 100644
--- a/packages/endace/_dev/build/docs/README.md
+++ b/packages/endace/_dev/build/docs/README.md
@@ -1,38 +1,24 @@
-# Network Packet Capture Integration
+# Endace
 
-This integration sniffs network packets on a host and dissects
-known protocols.
+Endace is a company known for its network recording, traffic capture, and analysis technology. Endace's solutions are often used for network security, performance monitoring, and troubleshooting.
+This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace.   
 
-Monitoring your network traffic is critical to gaining observability and
-securing your environment — ensuring high levels of performance and security.
-The Network Packet Capture integration captures the network traffic between
-your application servers, decodes common application layer protocols and
-records the interesting fields for each transaction.
 
-## Supported Protocols
+## Integration Variables
+#### `endace_url`
+The base URL for Endace UI. Example: https://myvprobe.com
 
-Currently, Network Packet Capture supports the following protocols:
+#### `endace_datasources`
+The datasource within Endace to pivot to. Example: tag:rotation-file
 
--   ICMP (v4 and v6)
--   DHCP (v4)
--   DNS
--   HTTP
--   AMQP 0.9.1
--   Cassandra
--   Mysql
--   PostgreSQL
--   Redis
--   Thrift-RPC
--   MongoDB
--   Memcache
--   NFS
--   TLS
--   SIP/SDP (beta)
+#### `endace_tools`
+The tools to use within the Endace Pivot. Example: trafficOverTime_by_app,conversations_by_ipaddress
 
-### Common protocol options
 
-The following options are available for all protocols:
+#### `endace_lookback`
+The lookback time in Minutes of how long to look back over ontop of the event start and finish time.
 
+## Endace Flow
 #### `map_to_ecs`
 
 Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
diff --git a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
index b9d7f96042c..c7c3a8ce262 100644
--- a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
+++ b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
@@ -13,7 +13,7 @@ fields:
     endace_url: {{ endace_url }}
     endace_datasources: {{ endace_datasources }}
     endace_tools: {{ endace_tools }}
-    endace_lookback" {{ endace_lookback }}
+    endace_lookback": {{ endace_lookback }}
 {{#if tags}}
 tags:
 {{#each tags as |tag|}}
diff --git a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
index 7bdd7a14314..3bc89ceaa79 100644
--- a/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
+++ b/packages/endace/data_stream/log/agent/stream/netflow.yml.hbs
@@ -38,7 +38,7 @@ processors:
       endace_url: {{ endace_url }}
       endace_datasources: {{ endace_datasources }}
       endace_tools: {{ endace_tools }}
-      endace_lookback" {{ endace_lookback }}
+      endace_lookback": {{ endace_lookback }}
 {{#if processors}}
 {{processors}}
 {{/if}}
diff --git a/packages/endace/docs/README.md b/packages/endace/docs/README.md
index 1fb0ae4968b..99fdadc924c 100644
--- a/packages/endace/docs/README.md
+++ b/packages/endace/docs/README.md
@@ -1,38 +1,24 @@
-# Network Packet Capture Integration
+# Endace
 
-This integration sniffs network packets on a host and dissects
-known protocols.
+Endace is a company known for its network recording, traffic capture, and analysis technology. Endace's solutions are often used for network security, performance monitoring, and troubleshooting.
+This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace.   
 
-Monitoring your network traffic is critical to gaining observability and
-securing your environment — ensuring high levels of performance and security.
-The Network Packet Capture integration captures the network traffic between
-your application servers, decodes common application layer protocols and
-records the interesting fields for each transaction.
 
-## Supported Protocols
+## Integration Variables
+#### `endace_url`
+The base URL for Endace UI. Example: https://myvprobe.com
 
-Currently, Network Packet Capture supports the following protocols:
+#### `endace_datasources`
+The datasource within Endace to pivot to. Example: tag:rotation-file
 
--   ICMP (v4 and v6)
--   DHCP (v4)
--   DNS
--   HTTP
--   AMQP 0.9.1
--   Cassandra
--   Mysql
--   PostgreSQL
--   Redis
--   Thrift-RPC
--   MongoDB
--   Memcache
--   NFS
--   TLS
--   SIP/SDP (beta)
+#### `endace_tools`
+The tools to use within the Endace Pivot. Example: trafficOverTime_by_app,conversations_by_ipaddress
 
-### Common protocol options
 
-The following options are available for all protocols:
+#### `endace_lookback`
+The lookback time in Minutes of how long to look back over ontop of the event start and finish time.
 
+## Endace Flow
 #### `map_to_ecs`
 
 Remap any non-ECS Packetbeat fields in root to their correct ECS fields.
diff --git a/packages/endace/manifest.yml b/packages/endace/manifest.yml
index d5cb0ab1372..962f805a7cc 100644
--- a/packages/endace/manifest.yml
+++ b/packages/endace/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.0
 name: endace
 title: "Endace"
-version: 0.0.4
+version: 0.1.0
 source:
   license: "Elastic-2.0"
 description: "This Endace integration configures Network Packet Capture for flow generation and adds a pivot field to your Endace platform."

From 7d07ffbbee091708143ff1d2cf0c2be21a05839a Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 15 Jul 2024 17:04:42 +0100
Subject: [PATCH 13/23] Update
 packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml

Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
---
 .../data_stream/flow/elasticsearch/ingest_pipeline/default.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
index 164fa67df2e..228026d07bd 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
@@ -33,7 +33,7 @@ processors:
 - append:
     field: related.hosts
     value: "{{{observer.hostname}}}"
-    if: ctx.observer?.hostname != null && ctx.observer?.hostname != ''
+    if: ctx.observer?.hostname != null && ctx.observer.hostname != ''
     allow_duplicates: false
 - foreach:
     if: ctx.observer?.ip != null && ctx.observer.ip instanceof List

From d4ab3f891fca4d73048f1e0fb1e15f0b4627a154 Mon Sep 17 00:00:00 2001
From: Roberto Cesar <37998637+rcesar999@users.noreply.github.com>
Date: Mon, 22 Jul 2024 05:14:43 -0500
Subject: [PATCH 14/23] Able to create P2V when just one IP is present - Fixed
 start&end time (#10489)

* Able to create P2V when just one IP is present - Fixed start&end time

* ngest_pipeline/endace-netflow.yml changed to handle single IP events

* updating expected.json after command elastic-package test pipeline --generate
---
 .../_dev/test/pipeline/test-flow-events.json  | 1226 +++++++-
 .../test-flow-events.json-expected.json       | 2685 ++++++++++++-----
 .../elasticsearch/ingest_pipeline/endace.yml  |   63 +-
 .../pipeline/test-netflow-log-events.json     |    6 +-
 ...test-netflow-log-events.json-expected.json |   22 +-
 .../ingest_pipeline/endace-netflow.yml        |   62 +-
 6 files changed, 3213 insertions(+), 851 deletions(-)

diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
index 5ec8072018d..a50f34cefb3 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json
@@ -226,8 +226,10 @@
                 "mac": [
                     "42-01-0A-64-00-1D"
                 ],
-                "ip": ["10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"]
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ]
             },
             "event": {
                 "duration": 60223908451,
@@ -1295,6 +1297,1226 @@
                 "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
                 "endace_lookback": 10
             }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 6789,
+                "bytes": 1108,
+                "ip": "127.0.0.1",
+                "packets": 14
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=",
+                "bytes": 2425,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 26
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 64831956254,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:39.852Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:44.684Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4"
+            },
+            "_conf": {
+                "event": {
+                    "start": 1719827319,
+                    "end": 1719827384
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 680,
+                "ip": "81.2.69.144",
+                "packets": 10
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
+                "bytes": 5891,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 20
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "observer": {
+                "hostname": "webserver",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ]
+            },
+            "event": {
+                "duration": 60223908451,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:39.852Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:40.076Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
+            },
+            "_conf": {
+                "map_to_ecs": true,
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827319,
+                    "end": 1719827380
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 9672,
+                "ip": "81.2.69.144",
+                "packets": 45
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=",
+                "bytes": 557311,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 111
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 60736169344,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:40.363Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827320,
+                    "end": 1719827381
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 1954,
+                "ip": "81.2.69.144",
+                "packets": 6
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=",
+                "bytes": 9729,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 13
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "service": {
+                    "name": "GCE"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 60735918914,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:40.364Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827320,
+                    "end": 1719827381
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 48904,
+                "bytes": 1479,
+                "ip": "127.0.0.1",
+                "packets": 12
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=",
+                "bytes": 2655,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 27
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 65343896149,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:40.364Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:45.708Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827320,
+                    "end": 1719827385
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 7821,
+                "ip": "81.2.69.144",
+                "packets": 30
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=",
+                "bytes": 340814,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 79
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 59712159075,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:41.388Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:41.100Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827321,
+                    "end": 1719827381
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "destination": {
+                "geo": {
+                    "region_iso_code": "GB-ENG",
+                    "continent_name": "Europe",
+                    "city_name": "London",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lon": -0.093,
+                        "lat": 51.5088
+                    },
+                    "region_name": "England"
+                },
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "port": 443,
+                "bytes": 5471,
+                "ip": "81.2.69.144",
+                "packets": 20
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=",
+                "bytes": 29368,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 41
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "containerized": false,
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 66879956683,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:41.388Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:48.268Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827321,
+                    "end": 1719827388
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 49588,
+                "bytes": 182639,
+                "ip": "10.100.0.29",
+                "packets": 82
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=",
+                "bytes": 195227,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 127
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "containerized": false,
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 67392032290,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:41.900Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:49.292Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827321,
+                    "end": 1719827389
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "source": {
+                "port": 39856,
+                "bytes": 2310,
+                "ip": "127.0.0.1",
+                "packets": 14
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=",
+                "bytes": 9143,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 21
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "type": "linux",
+                    "family": "debian",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 59712056664,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:42.412Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:42.124Z",
+                "type": [
+                    "connection"
+                ],
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827322,
+                    "end": 1719827382
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
+        },
+        {
+            "agent": {
+                "name": "webserver",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "type": "packetbeat",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "version": "8.9.1"
+            },
+            "destination": {
+                "port": 80,
+                "bytes": 25278,
+                "ip": "169.254.169.254",
+                "packets": 5
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "version": "8.9.1",
+                "snapshot": false
+            },
+            "type": "flow",
+            "network": {
+                "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=",
+                "bytes": 25730,
+                "transport": "tcp",
+                "type": "ipv4",
+                "packets": 9
+            },
+            "cloud": {
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "name": "test-security-demo-websever",
+                    "id": "5975790316485631173"
+                },
+                "provider": "gcp",
+                "service": {
+                    "name": "GCE"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "region": "europe-west2",
+                "account": {
+                    "id": "elastic-sa"
+                }
+            },
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "data_stream": {
+                "namespace": "webserver",
+                "type": "logs",
+                "dataset": "endace.flow"
+            },
+            "host": {
+                "hostname": "webserver",
+                "os": {
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "codename": "bullseye",
+                    "name": "Debian GNU/Linux",
+                    "family": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)",
+                    "platform": "debian"
+                },
+                "containerized": false,
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "name": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "architecture": "x86_64"
+            },
+            "event": {
+                "duration": 61759622403,
+                "agent_id_status": "verified",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:42.924Z",
+                "action": "network_flow",
+                "end": "2024-07-01T10:49:44.684Z",
+                "category": [
+                    "network"
+                ],
+                "type": [
+                    "connection"
+                ],
+                "dataset": "endace.flow"
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA"
+            },
+            "_conf": {
+                "geoip_enrich": true,
+                "event": {
+                    "start": 1719827322,
+                    "end": 1719827384
+                },
+                "endace_url": "https://test.test.local",
+                "endace_datasources": "tag:rotation-file",
+                "endace_tools": "trafficOverTime_by_app,conversations_by_ipaddress",
+                "endace_lookback": 10
+            }
         }
     ]
 }
\ No newline at end of file
diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
index dd8b84dfb5a..40744a87df2 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
@@ -1,47 +1,22 @@
 {
     "expected": [
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
                 "version": "8.9.1"
             },
-            "destination": {
-                "port": 48866,
-                "bytes": 1317,
-                "ip": "127.0.0.1",
-                "packets": 12
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 6789,
-                "bytes": 1108,
-                "ip": "127.0.0.1",
-                "packets": 14
-            },
-            "type": "flow",
-            "network": {
-                "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=",
-                "bytes": 2425,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 26
-            },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -49,167 +24,208 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+            "destination": {
+                "bytes": 1317,
+                "ip": "127.0.0.1",
+                "packets": 12,
+                "port": 48866
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 64831956254,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "start": "2024-07-01T10:48:39.852Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:44.684Z",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830919852&end=1719830384684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 64831956254,
+                "end": "2024-07-01T10:49:44.684Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
+                "start": "2024-07-01T10:48:39.852Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4"
-            }
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 2425,
+                "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=",
+                "packets": 26,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 1108,
+                "ip": "127.0.0.1",
+                "packets": 14,
+                "port": 6789
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "geo": {
-                    "region_iso_code": "GB-ENG",
-                    "continent_name": "Europe",
-                    "city_name": "London",
-                    "country_iso_code": "GB",
-                    "country_name": "United Kingdom",
-                    "location": {
-                        "lon": -0.0931,
-                        "lat": 51.5142
-                    },
-                    "region_name": "England"
-                },
-                "as": {
-                    "number": 396982,
-                    "organization": {
-                        "name": "GOOGLE-CLOUD-PLATFORM"
-                    }
-                },
-                "port": 443,
-                "bytes": 680,
-                "ip": "81.2.69.144",
-                "packets": 10
-            },
-            "source": {
-                "port": 56370,
-                "bytes": 5211,
-                "ip": "10.100.0.29",
-                "packets": 10
-            },
-            "network": {
-                "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
-                "bytes": 5891,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 20
-            },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
-                "provider": "gcp",
                 "machine": {
                     "type": "t2d-standard-1"
                 },
-                "service": {
-                    "name": "GCE"
-                },
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 680,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 10,
+                "port": 443
+            },
             "ecs": {
                 "version": "8.11.0"
             },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "duration": 60223908451,
+                "end": "2024-07-01T10:49:40.076Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831280076&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:39.852Z",
+                "type": [
+                    "connection"
+                ]
             },
             "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
+                "architecture": "x86_64",
                 "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
                     "42-01-0A-64-00-1D"
                 ],
-                "architecture": "x86_64"
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 5891,
+                "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
+                "packets": 20,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "network_traffic": {
+                "flow": {
+                    "final": false,
+                    "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
+                }
             },
             "observer": {
                 "hostname": "webserver",
@@ -222,7 +238,7 @@
                 ]
             },
             "related": {
-                "hosts": [                    
+                "hosts": [
                     "webserver"
                 ],
                 "ip": [
@@ -230,89 +246,30 @@
                     "fe80::4001:aff:fe64:1d"
                 ]
             },
-            "event": {
-                "duration": 60223908451,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830919852&end=1719830380076&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
-                "start": "2024-07-01T10:48:39.852Z",
-                "action": "network_flow",
-                "end": "2024-07-01T10:49:40.076Z",
-                "category": [
-                    "network"
-                ],
-                "type": [
-                    "connection"
-                ]
-            },
-            "network_traffic": {
-                "flow": {
-                    "final": false,
-                    "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
-                }
-           }
-        },
+            "source": {
+                "bytes": 5211,
+                "ip": "10.100.0.29",
+                "packets": 10,
+                "port": 56370
+            }
+        },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "destination": {
-                "geo": {
-                    "region_iso_code": "GB-ENG",
-                    "continent_name": "Europe",
-                    "city_name": "London",
-                    "country_iso_code": "GB",
-                    "country_name": "United Kingdom",
-                    "location": {
-                        "lon": -0.0931,
-                        "lat": 51.5142
-                    },
-                    "region_name": "England"
-                },
-                "as": {
-                    "number": 396982,
-                    "organization": {
-                        "name": "GOOGLE-CLOUD-PLATFORM"
-                    }
-                },
-                "port": 443,
-                "bytes": 9672,
-                "ip": "81.2.69.144",
-                "packets": 45
-            },
-            "source": {
-                "port": 60098,
-                "bytes": 547639,
-                "ip": "10.100.0.29",
-                "packets": 66
-            },
-            "type": "flow",
-            "network": {
-                "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=",
-                "bytes": 557311,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 111
-            },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -320,233 +277,251 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
                 },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+                "bytes": 9672,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 45,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 60736169344,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830920363&end=1719830381100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
-                "start": "2024-07-01T10:48:40.363Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:41.100Z",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 60736169344,
+                "end": "2024-07-01T10:49:41.100Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620363&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:40.363Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE"
-            }
-        },
-        {
-            "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
-                "version": "8.9.1"
             },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
             },
-            "destination": {
-                "geo": {
-                    "region_iso_code": "GB-ENG",
-                    "continent_name": "Europe",
-                    "city_name": "London",
-                    "country_iso_code": "GB",
-                    "country_name": "United Kingdom",
-                    "location": {
-                        "lon": -0.0931,
-                        "lat": 51.5142
-                    },
-                    "region_name": "England"
-                },
-                "as": {
-                    "number": 396982,
-                    "organization": {
-                        "name": "GOOGLE-CLOUD-PLATFORM"
-                    }
-                },
-                "port": 443,
-                "bytes": 1954,
-                "ip": "81.2.69.144",
-                "packets": 6
+            "network": {
+                "bytes": 557311,
+                "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=",
+                "packets": 111,
+                "transport": "tcp",
+                "type": "ipv4"
             },
             "source": {
-                "port": 55960,
-                "bytes": 7775,
+                "bytes": 547639,
                 "ip": "10.100.0.29",
-                "packets": 7
+                "packets": 66,
+                "port": 60098
             },
-            "type": "flow",
-            "network": {
-                "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=",
-                "bytes": 9729,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 13
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
             },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
-                "provider": "gcp",
                 "machine": {
                     "type": "t2d-standard-1"
                 },
-                "service": {
-                    "name": "GCE"
-                },
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
                 },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+                "bytes": 1954,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 6,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 60735918914,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830920364&end=1719830381100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
-                "start": "2024-07-01T10:48:40.364Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:41.100Z",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 60735918914,
+                "end": "2024-07-01T10:49:41.100Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:40.364Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE"
-            }
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 9729,
+                "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=",
+                "packets": 13,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 7775,
+                "ip": "10.100.0.29",
+                "packets": 7,
+                "port": 55960
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "destination": {
-                "port": 6789,
-                "bytes": 1176,
-                "ip": "127.0.0.1",
-                "packets": 15
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 48904,
-                "bytes": 1479,
-                "ip": "127.0.0.1",
-                "packets": 12
-            },
-            "type": "flow",
-            "network": {
-                "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=",
-                "bytes": 2655,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 27
-            },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -554,125 +529,233 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+            "destination": {
+                "bytes": 1176,
+                "ip": "127.0.0.1",
+                "packets": 15,
+                "port": 6789
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 65343896149,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830920364&end=1719830385708&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
-                "start": "2024-07-01T10:48:40.364Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:45.708Z",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 65343896149,
+                "end": "2024-07-01T10:49:45.708Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831285708&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
+                "start": "2024-07-01T10:48:40.364Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo"
-            }
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 2655,
+                "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=",
+                "packets": 27,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 1479,
+                "ip": "127.0.0.1",
+                "packets": 12,
+                "port": 48904
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
                 "version": "8.9.1"
             },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
             "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 7821,
                 "geo": {
-                    "region_iso_code": "GB-ENG",
-                    "continent_name": "Europe",
                     "city_name": "London",
+                    "continent_name": "Europe",
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.0931,
-                        "lat": 51.5142
+                        "lat": 51.5142,
+                        "lon": -0.0931
                     },
+                    "region_iso_code": "GB-ENG",
                     "region_name": "England"
                 },
-                "as": {
-                    "number": 396982,
-                    "organization": {
-                        "name": "GOOGLE-CLOUD-PLATFORM"
-                    }
-                },
-                "port": 443,
-                "bytes": 7821,
                 "ip": "81.2.69.144",
-                "packets": 30
+                "packets": 30,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
+                "snapshot": false,
+                "version": "8.9.1"
             },
-            "source": {
-                "port": 45176,
-                "bytes": 332993,
-                "ip": "10.100.0.29",
-                "packets": 49
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 59712159075,
+                "end": "2024-07-01T10:49:41.100Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:41.388Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
             },
-            "type": "flow",
             "network": {
-                "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=",
                 "bytes": 340814,
+                "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=",
+                "packets": 79,
                 "transport": "tcp",
-                "type": "ipv4",
-                "packets": 79
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 332993,
+                "ip": "10.100.0.29",
+                "packets": 49,
+                "port": 45176
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
             },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -680,125 +763,1045 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 5471,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 20,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 66879956683,
+                "end": "2024-07-01T10:49:48.268Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831288268&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:41.388Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 29368,
+                "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=",
+                "packets": 41,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 23897,
+                "ip": "10.100.0.29",
+                "packets": 21,
+                "port": 56928
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 12588,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 45,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 67392032290,
+                "end": "2024-07-01T10:49:49.292Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621900&end=1719831289292&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
+                "start": "2024-07-01T10:48:41.900Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 195227,
+                "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=",
+                "packets": 127,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 182639,
+                "ip": "10.100.0.29",
+                "packets": 82,
+                "port": 49588
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "bytes": 6833,
+                "ip": "127.0.0.1",
+                "packets": 7,
+                "port": 6791
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 59712056664,
+                "end": "2024-07-01T10:49:42.124Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622412&end=1719831282124&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
+                "start": "2024-07-01T10:48:42.412Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 9143,
+                "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=",
+                "packets": 21,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 2310,
+                "ip": "127.0.0.1",
+                "packets": 14,
+                "port": 39856
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "bytes": 25278,
+                "ip": "169.254.169.254",
+                "packets": 5,
+                "port": 80
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 61759622403,
+                "end": "2024-07-01T10:49:44.684Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622924&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%26169.254.169.254",
+                "start": "2024-07-01T10:48:42.924Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 25730,
+                "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=",
+                "packets": 9,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 452,
+                "ip": "10.100.0.29",
+                "packets": 4,
+                "port": 47598
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 64831956254,
+                "end": "2024-07-01T10:49:44.684Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:39.852Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYUa4r4"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 2425,
+                "community_id": "1:RCi572y4gqQ+7LFlqkPsn1Xfa+0=",
+                "packets": 26,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 1108,
+                "ip": "127.0.0.1",
+                "packets": 14,
+                "port": 6789
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 680,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 10,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "duration": 60223908451,
+                "end": "2024-07-01T10:49:40.076Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:39.852Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 5891,
+                "community_id": "1:TwdqE0w1aE72YUTaajguLj4qUns=",
+                "packets": 20,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "network_traffic": {
+                "flow": {
+                    "final": false,
+                    "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDDLcuwE"
+                }
+            },
+            "observer": {
+                "hostname": "webserver",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ]
+            },
+            "related": {
+                "hosts": [
+                    "webserver"
+                ],
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ]
+            }
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
                 "account": {
                     "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 9672,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 45,
+                "port": 443
+            },
             "ecs": {
                 "version": "8.11.0"
             },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
+            },
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 60736169344,
+                "end": "2024-07-01T10:49:41.100Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:40.363Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDMLquwE"
             },
             "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
+                "architecture": "x86_64",
                 "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "ip": [
                     "10.100.0.29",
                     "fe80::4001:aff:fe64:1d"
                 ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
                 "mac": [
                     "42-01-0A-64-00-1D"
                 ],
-                "architecture": "x86_64"
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 557311,
+                "community_id": "1:vX6oXjJfSEwPiJ0pwvMzUK719S8=",
+                "packets": 111,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
+            },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 1954,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 6,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 59712159075,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830921388&end=1719830381100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
-                "start": "2024-07-01T10:48:41.388Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:41.100Z",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 60735918914,
+                "end": "2024-07-01T10:49:41.100Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:40.364Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
-                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
-            }
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDJjauwE"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 9729,
+                "community_id": "1:rkJGR0qjRmD5vrCpbbdAiOnhiQM=",
+                "packets": 13,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
+                "snapshot": false,
+                "version": "8.9.1"
             },
-            "destination": {
-                "geo": {
-                    "region_iso_code": "GB-ENG",
-                    "continent_name": "Europe",
-                    "city_name": "London",
-                    "country_iso_code": "GB",
-                    "country_name": "United Kingdom",
-                    "location": {
-                        "lon": -0.0931,
-                        "lat": 51.5142
-                    },
-                    "region_name": "England"
-                },
-                "as": {
-                    "number": 396982,
-                    "organization": {
-                        "name": "GOOGLE-CLOUD-PLATFORM"
-                    }
-                },
-                "port": 443,
-                "bytes": 5471,
-                "ip": "81.2.69.144",
-                "packets": 20
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 65343896149,
+                "end": "2024-07-01T10:49:45.708Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:40.364Z",
+                "type": [
+                    "connection"
+                ]
             },
-            "source": {
-                "port": 56928,
-                "bytes": 23897,
-                "ip": "10.100.0.29",
-                "packets": 21
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAF/AAABfwAAAQi/hRo"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
             },
-            "type": "flow",
             "network": {
-                "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=",
-                "bytes": 29368,
+                "bytes": 2655,
+                "community_id": "1:8z8pjOEt4+6YMtJjX7lUfpXgVgw=",
+                "packets": 27,
                 "transport": "tcp",
-                "type": "ipv4",
-                "packets": 41
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 1479,
+                "ip": "127.0.0.1",
+                "packets": 12,
+                "port": 48904
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
             },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -806,125 +1809,237 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
+            "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
                 },
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "containerized": false,
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+                "bytes": 7821,
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "packets": 30,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 66879956683,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830921388&end=1719830388268&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
-                "start": "2024-07-01T10:48:41.388Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:48.268Z",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 59712159075,
+                "end": "2024-07-01T10:49:41.100Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:41.388Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
-                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
-            }
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDHiwuwE"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 340814,
+                "community_id": "1:rDoUGTpaonfSKgfFy8xvyps5opI=",
+                "packets": 79,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
                 "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
                 "version": "8.9.1"
             },
+            "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
+                "availability_zone": "europe-west2-c",
+                "instance": {
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
+                },
+                "machine": {
+                    "type": "t2d-standard-1"
+                },
+                "project": {
+                    "id": "elastic-sa"
+                },
+                "provider": "gcp",
+                "region": "europe-west2",
+                "service": {
+                    "name": "GCE"
+                }
+            },
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
             "destination": {
+                "as": {
+                    "number": 396982,
+                    "organization": {
+                        "name": "GOOGLE-CLOUD-PLATFORM"
+                    }
+                },
+                "bytes": 5471,
                 "geo": {
-                    "region_iso_code": "GB-ENG",
-                    "continent_name": "Europe",
                     "city_name": "London",
+                    "continent_name": "Europe",
                     "country_iso_code": "GB",
                     "country_name": "United Kingdom",
                     "location": {
-                        "lon": -0.0931,
-                        "lat": 51.5142
+                        "lat": 51.5142,
+                        "lon": -0.0931
                     },
+                    "region_iso_code": "GB-ENG",
                     "region_name": "England"
                 },
-                "as": {
-                    "number": 396982,
-                    "organization": {
-                        "name": "GOOGLE-CLOUD-PLATFORM"
-                    }
-                },
-                "port": 443,
-                "bytes": 12588,
                 "ip": "81.2.69.144",
-                "packets": 45
+                "packets": 20,
+                "port": 443
+            },
+            "ecs": {
+                "version": "8.11.0"
             },
             "elastic_agent": {
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
+                "snapshot": false,
+                "version": "8.9.1"
             },
-            "source": {
-                "port": 49588,
-                "bytes": 182639,
-                "ip": "10.100.0.29",
-                "packets": 82
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 66879956683,
+                "end": "2024-07-01T10:49:48.268Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:41.388Z",
+                "type": [
+                    "connection"
+                ]
+            },
+            "flow": {
+                "final": false,
+                "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDGDeuwE"
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
             },
-            "type": "flow",
             "network": {
-                "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=",
-                "bytes": 195227,
+                "bytes": 29368,
+                "community_id": "1:JimQNreW+sYThnNGTVx+lyRdLbo=",
+                "packets": 41,
                 "transport": "tcp",
-                "type": "ipv4",
-                "packets": 127
+                "type": "ipv4"
+            },
+            "type": "flow"
+        },
+        {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "agent": {
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
+                "type": "packetbeat",
+                "version": "8.9.1"
             },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -932,107 +2047,100 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
+            "data_stream": {
+                "dataset": "endace.flow",
+                "namespace": "webserver",
+                "type": "logs"
+            },
             "ecs": {
                 "version": "8.11.0"
             },
-            "data_stream": {
-                "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "containerized": false,
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
+            "event": {
+                "action": "network_flow",
+                "agent_id_status": "verified",
+                "category": [
+                    "network"
                 ],
-                "architecture": "x86_64"
-            },
-            "event": {
+                "dataset": "endace.flow",
                 "duration": 67392032290,
-                "agent_id_status": "verified",
+                "end": "2024-07-01T10:49:49.292Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830921900&end=1719830389292&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%2681.2.69.144",
                 "start": "2024-07-01T10:48:41.900Z",
-                "action": "network_flow",
-                "end": "2024-07-01T10:49:49.292Z",
-                "category": [
-                    "network"
-                ],
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAEKZAAdIlkMDLTBuwE"
-            }
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 195227,
+                "community_id": "1:nQ4W/+0XInOvc8X+dZywhVnJMxg=",
+                "packets": 127,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 182639,
+                "ip": "10.100.0.29",
+                "packets": 82,
+                "port": 49588
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "destination": {
-                "port": 6791,
-                "bytes": 6833,
-                "ip": "127.0.0.1",
-                "packets": 7
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 39856,
-                "bytes": 2310,
-                "ip": "127.0.0.1",
-                "packets": 14
-            },
-            "type": "flow",
-            "network": {
-                "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=",
-                "bytes": 9143,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 21
-            },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -1040,107 +2148,100 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "type": "linux",
-                    "family": "debian",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 59712056664,
+                "action": "network_flow",
                 "agent_id_status": "verified",
+                "category": [
+                    "network"
+                ],
+                "dataset": "endace.flow",
+                "duration": 59712056664,
+                "end": "2024-07-01T10:49:42.124Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830922412&end=1719830382124&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=127.0.0.1%26127.0.0.1",
                 "start": "2024-07-01T10:48:42.412Z",
-                "action": "network_flow",
-                "end": "2024-07-01T10:49:42.124Z",
                 "type": [
                     "connection"
-                ],
-                "category": [
-                    "network"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAF/AAABfwAAAYcasJs"
-            }
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 9143,
+                "community_id": "1:VFRc3lML+k0fLfF36gdrSCu5udg=",
+                "packets": 21,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "source": {
+                "bytes": 2310,
+                "ip": "127.0.0.1",
+                "packets": 14,
+                "port": 39856
+            },
+            "type": "flow"
         },
         {
+            "@timestamp": "2024-07-01T10:49:50.000Z",
             "agent": {
-                "name": "webserver",
+                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "name": "webserver",
                 "type": "packetbeat",
-                "ephemeral_id": "20132874-04f9-4a32-8b53-050f938d1f31",
                 "version": "8.9.1"
             },
-            "destination": {
-                "port": 80,
-                "bytes": 25278,
-                "ip": "169.254.169.254",
-                "packets": 5
-            },
-            "elastic_agent": {
-                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
-                "version": "8.9.1",
-                "snapshot": false
-            },
-            "source": {
-                "port": 47598,
-                "bytes": 452,
-                "ip": "10.100.0.29",
-                "packets": 4
-            },
-            "type": "flow",
-            "network": {
-                "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=",
-                "bytes": 25730,
-                "transport": "tcp",
-                "type": "ipv4",
-                "packets": 9
-            },
             "cloud": {
+                "account": {
+                    "id": "elastic-sa"
+                },
                 "availability_zone": "europe-west2-c",
                 "instance": {
-                    "name": "test-security-demo-websever",
-                    "id": "5975790316485631173"
-                },
-                "provider": "gcp",
-                "service": {
-                    "name": "GCE"
+                    "id": "5975790316485631173",
+                    "name": "test-security-demo-websever"
                 },
                 "machine": {
                     "type": "t2d-standard-1"
@@ -1148,64 +2249,82 @@
                 "project": {
                     "id": "elastic-sa"
                 },
+                "provider": "gcp",
                 "region": "europe-west2",
-                "account": {
-                    "id": "elastic-sa"
+                "service": {
+                    "name": "GCE"
                 }
             },
-            "@timestamp": "2024-07-01T10:49:50.000Z",
-            "ecs": {
-                "version": "8.11.0"
-            },
             "data_stream": {
+                "dataset": "endace.flow",
                 "namespace": "webserver",
-                "type": "logs",
-                "dataset": "endace.flow"
+                "type": "logs"
             },
-            "host": {
-                "hostname": "webserver",
-                "os": {
-                    "kernel": "5.10.0-27-cloud-amd64",
-                    "codename": "bullseye",
-                    "name": "Debian GNU/Linux",
-                    "family": "debian",
-                    "type": "linux",
-                    "version": "11 (bullseye)",
-                    "platform": "debian"
-                },
-                "containerized": false,
-                "ip": [
-                    "10.100.0.29",
-                    "fe80::4001:aff:fe64:1d"
-                ],
-                "name": "webserver",
-                "id": "28bd70940d6b4dd105977a2b386fc78d",
-                "mac": [
-                    "42-01-0A-64-00-1D"
-                ],
-                "architecture": "x86_64"
+            "destination": {
+                "bytes": 25278,
+                "ip": "169.254.169.254",
+                "packets": 5,
+                "port": 80
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "elastic_agent": {
+                "id": "322cf2eb-a791-433b-bcc1-b4f5a7896f11",
+                "snapshot": false,
+                "version": "8.9.1"
             },
             "event": {
-                "duration": 61759622403,
-                "agent_id_status": "verified",
-                "ingested": "2024-07-01T10:49:51Z",
-                "kind": "event",
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830922924&end=1719830384684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.100.0.29%26169.254.169.254",
-                "start": "2024-07-01T10:48:42.924Z",
                 "action": "network_flow",
-                "end": "2024-07-01T10:49:44.684Z",
+                "agent_id_status": "verified",
                 "category": [
                     "network"
                 ],
+                "dataset": "endace.flow",
+                "duration": 61759622403,
+                "end": "2024-07-01T10:49:44.684Z",
+                "ingested": "2024-07-01T10:49:51Z",
+                "kind": "event",
+                "start": "2024-07-01T10:48:42.924Z",
                 "type": [
                     "connection"
-                ],
-                "dataset": "endace.flow"
+                ]
             },
             "flow": {
                 "final": false,
                 "id": "EAT/////AP//////CP8AAAEKZAAdqf6p/u65UAA"
-            }
+            },
+            "host": {
+                "architecture": "x86_64",
+                "containerized": false,
+                "hostname": "webserver",
+                "id": "28bd70940d6b4dd105977a2b386fc78d",
+                "ip": [
+                    "10.100.0.29",
+                    "fe80::4001:aff:fe64:1d"
+                ],
+                "mac": [
+                    "42-01-0A-64-00-1D"
+                ],
+                "name": "webserver",
+                "os": {
+                    "codename": "bullseye",
+                    "family": "debian",
+                    "kernel": "5.10.0-27-cloud-amd64",
+                    "name": "Debian GNU/Linux",
+                    "platform": "debian",
+                    "type": "linux",
+                    "version": "11 (bullseye)"
+                }
+            },
+            "network": {
+                "bytes": 25730,
+                "community_id": "1:ZA5ezPNh0MumdIPxY03oJDcyLd8=",
+                "packets": 9,
+                "transport": "tcp",
+                "type": "ipv4"
+            },
+            "type": "flow"
         }
     ]
 }
\ No newline at end of file
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
index 0bdad9bf488..6d75d46036a 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
@@ -8,14 +8,19 @@ processors:
       if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
       tag: endace conversation set
   
-  
   - set: 
-      description: "Set IP Conversation if either destination.ip and source.ip are present"
-      field: _conf.ipconv
-      value: "ip={{ source.ip }}{{ destination.ip }}"
-      if: ctx._conf.ipconv != null && ctx.destination?.ip != null && ctx.destination?.ip != '' || ctx.source?.ip != null && ctx.source?.ip != ''
-      tag: endace ip set
+      description: "Set IP Conversation if only destination.ip is present"
+      field: _conf.ip_conv
+      value: "ip={{ destination.ip }}"
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && (ctx.source?.ip == null || ctx.source?.ip == '')
+      tag: endace destination ip set
 
+  - set: 
+      description: "Set IP Conversation if only source.ip is present"
+      field: _conf.ip_conv
+      value: "ip={{ source.ip }}"
+      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && ctx.source?.ip != null && ctx.source?.ip != ''
+      tag: endace source ip set
 
   - date:
       description: "Convert Start time to Epoch"
@@ -26,11 +31,10 @@ processors:
       if: ctx.event?.start != null && ctx.event?.start != ''
 
   - convert:
-        field: _conf.event.start
-        type: long
-        description: "Convert Start time to Long"
-        if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
-
+      field: _conf.event.start
+      type: long
+      description: "Convert Start time to Long"
+      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
 
   - date:
       description: "Convert End time to Epoch"
@@ -40,40 +44,45 @@ processors:
       output_format: epoch_millis
       if: ctx.event?.end != null && ctx.event?.end != ''
 
-
   - convert:
-        field: _conf.event.end
-        type: long
-        description: "Convert End time to Long"
-        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
-
+      field: _conf.event.end
+      type: long
+      description: "Convert End time to Long"
+      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
 
   - script:
-        source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
-        tag: "Calculate Timedelta"
-        description: "Calculate Timedelta"
-        if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
-
+      source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
+      tag: "Calculate Timedelta"
+      description: "Calculate Timedelta"
+      if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
 
   - script:
-        source: "ctx._conf.event.end = ctx._conf.event.end - ctx._conf.timedelta"
-        tag: "Calculate Endtime + additional lookback"
-        description: "Calculate Endtime + additional lookback"
-        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+      source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2"
+      tag: "Calculate Endtime as Timestamp + half of Timedelta"
+      description: "Calculate Endtime"
+      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
 
+  - script:
+      source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2"
+      tag: "Calculate Starttime as Timestamp - half of Timedelta"
+      description: "Calculate Endtime"
+      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
 
   - set:
       field: event.reference
       value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
       ignore_empty_value: true
       tag: endace reference url
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') || (ctx.source?.ip != null && ctx.source?.ip != '')
+      description: "Create P2V URL"
 
 on_failure:
   - append:
       field: error.message
+      description: "Error Message"
       value: |-
           Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}"
   - set:
       field: event.kind
+      description: "Event Kind"
       value: pipeline_error
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
index 99ab16f813a..d8a498368a1 100644
--- a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json
@@ -101,7 +101,8 @@
             },
             "destination": {
                 "bytes": 0,
-                "packets": 0
+                "packets": 0,
+                "ip": "10.36.236.100"
             },
             "_conf": {
                 "endace_url": "https://test.test.local",
@@ -203,7 +204,8 @@
             },
             "source": {
                 "bytes": 1477,
-                "packets": 6
+                "packets": 6,
+                "ip": "10.127.32.11"
             },
             "network": {
                 "transport": "tcp",
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
index c4d15424718..1bfc4cf0254 100644
--- a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
@@ -15,6 +15,7 @@
             },
             "destination": {
                 "bytes": 0,
+                "ip": "10.36.236.100",
                 "packets": 0
             },
             "ecs": {
@@ -215,6 +216,7 @@
             },
             "source": {
                 "bytes": 1477,
+                "ip": "10.127.32.11",
                 "packets": 6
             }
         },
@@ -3177,10 +3179,10 @@
                     "network"
                 ],
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079068960&end=1587079668963&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.127.32.11%2610.36.236.100",
                 "type": [
                     "connection"
-                ],
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079368960&end=1587078768963&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.127.32.11%2610.36.236.100"
+                ]
             },
             "flow": {
                 "id": "6mUV1nPVG80",
@@ -3253,10 +3255,10 @@
                     "network"
                 ],
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079067995&end=1587079668404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=89.160.20.112%2610.36.236.100",
                 "type": [
                     "connection"
-                ],
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079367995&end=1587078768404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=89.160.20.112%2610.36.236.100"
+                ]
             },
             "flow": {
                 "id": "HVg4SttTufc",
@@ -3314,7 +3316,7 @@
                 },
                 "bytes": 7158,
                 "geo": {
-                    "city_name": "Link\u00f6ping",
+                    "city_name": "Linköping",
                     "continent_name": "Europe",
                     "country_iso_code": "SE",
                     "country_name": "Sweden",
@@ -3323,7 +3325,7 @@
                         "lon": 15.6167
                     },
                     "region_iso_code": "SE-E",
-                    "region_name": "\u00d6sterg\u00f6tland County"
+                    "region_name": "Östergötland County"
                 },
                 "ip": "89.160.20.112",
                 "locality": "external",
@@ -3341,7 +3343,7 @@
                     }
                 },
                 "geo": {
-                    "city_name": "Link\u00f6ping",
+                    "city_name": "Linköping",
                     "continent_name": "Europe",
                     "country_iso_code": "SE",
                     "country_name": "Sweden",
@@ -3350,7 +3352,7 @@
                         "lon": 15.6167
                     },
                     "region_iso_code": "SE-E",
-                    "region_name": "\u00d6sterg\u00f6tland County"
+                    "region_name": "Östergötland County"
                 },
                 "ip": "89.160.20.112",
                 "locality": "external",
@@ -3365,10 +3367,10 @@
                     "network"
                 ],
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079067920&end=1587079668404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.36.236.100%2689.160.20.112",
                 "type": [
                     "connection"
-                ],
-                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1587079367920&end=1587078768404&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip_conv=10.36.236.100%2689.160.20.112"
+                ]
             },
             "flow": {
                 "id": "HVg4SttTufc",
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
index 2f0b7aa07b2..14fe2e9fc9b 100644
--- a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
@@ -8,13 +8,19 @@ processors:
       if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
       tag: endace conversation set
 
-  - set: 
-      description: "Set IP Conversation if either destination.ip and source.ip are present"
-      field: _conf.ipconv
-      value: "ip={{ source.ip }}{{ destination.ip }}"
-      if: ctx._conf.ipconv != null && ctx.destination?.ip != null && ctx.destination?.ip != '' || ctx.source?.ip != null && ctx.source?.ip != ''
-      tag: endace ip set
+  - set:
+      description: "Set IP Conversation if only destination.ip is present"
+      field: _conf.ip_conv
+      value: "ip={{ destination.ip }}"
+      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && (ctx.source?.ip == null || ctx.source?.ip == '')
+      tag: endace destination ip set
 
+  - set:
+      description: "Set IP Conversation if only source.ip is present"
+      field: _conf.ip_conv
+      value: "ip={{ source.ip }}"
+      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && ctx.source?.ip != null && ctx.source?.ip != ''
+      tag: endace source ip set
 
   - date:
       description: "Convert Start time to Epoch"
@@ -24,13 +30,11 @@ processors:
       output_format: epoch_millis
       if: ctx.netflow?.flow_start_milliseconds != null && ctx.netflow?.flow_start_milliseconds != ''
 
-
   - convert:
-        field: _conf.event.start
-        type: long
-        description: "Convert Start time to Long"
-        if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
-
+      field: _conf.event.start
+      type: long
+      description: "Convert Start time to Long"
+      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
 
   - date:
       description: "Convert End time to Epoch"
@@ -40,30 +44,34 @@ processors:
       output_format: epoch_millis
       if: ctx.netflow?.flow_end_milliseconds != null && ctx.netflow?.flow_end_milliseconds != ''
 
-
   - convert:
-        field: _conf.event.end
-        type: long
-        description: "Convert End time to Long"
-        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
+      field: _conf.event.end
+      type: long
+      description: "Convert End time to Long"
+      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
 
   - script:
-        source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
-        tag: "Calculate Timedelta"
-        description: "Calculate Timedelta"
-        if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
-
+      source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
+      tag: "Calculate Timedelta"
+      description: "Calculate Timedelta"
+      if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
 
   - script:
-        source: "ctx._conf.event.end = ctx._conf.event.end - ctx._conf.timedelta"
-        tag: "Calculate Endtime + additional lookback"
-        description: "Calculate Endtime + additional lookback"
-        if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+      source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2"
+      tag: "Calculate Endtime as Timestamp + half of Timedelta"
+      description: "Calculate Endtime + half of lookback"
+      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
 
+  - script:
+      source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2"
+      tag: "Calculate Starttime as Timestamp - half of Timedelta"
+      description: "Calculate Endtime minus half of Timedelta"
+      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
 
   - set:
       field: event.reference
       value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
       ignore_empty_value: true
       tag: endace reference url
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') || (ctx.source?.ip != null && ctx.source?.ip != '')
+      description: "Create P2V URL"

From 0c953955cfb6b84a96e65e9c197aac3d42c550b7 Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 13:54:59 +0000
Subject: [PATCH 15/23] Fixed duplicate tags

---
 .../flow/elasticsearch/ingest_pipeline/default.yml        | 6 +++---
 .../flow/elasticsearch/ingest_pipeline/geoip.yml          | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
index 228026d07bd..ba5d9cec8d7 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
@@ -20,7 +20,7 @@ processors:
     pattern: '[-:.]'
     replacement: ''
     ignore_missing: true
-    tag: gsub_host_mac
+    tag: gsub_host_mac_remove_seperators
 - gsub:
     field: host.mac
     pattern: '(..)(?!$)'
@@ -52,7 +52,7 @@ processors:
     pattern: '[-:.]'
     replacement: ''
     ignore_missing: true
-    tag: gsub_source_mac
+    tag: gsub_source_mac_remove_seperators
 - gsub:
     field: source.mac
     pattern: '(..)(?!$)'
@@ -67,7 +67,7 @@ processors:
     pattern: '[-:.]'
     replacement: ''
     ignore_missing: true
-    tag: gsub_destination_mac
+    tag: gsub_destination_mac_remove_seperators
 - gsub:
     field: destination.mac
     pattern: '(..)(?!$)'
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
index eb88d38caf0..62d0462917f 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/geoip.yml
@@ -14,7 +14,7 @@ processors:
         - asn
         - organization_name
       ignore_missing: true
-      tag: source_geo
+      tag: source_geo_as
   - rename:
       field: source.as.asn
       target_field: source.as.number
@@ -37,7 +37,7 @@ processors:
         - asn
         - organization_name
       ignore_missing: true
-      tag: destination_geo
+      tag: destination_geo_as
   - rename:
       field: destination.as.asn
       target_field: destination.as.number
@@ -60,7 +60,7 @@ processors:
         - asn
         - organization_name
       ignore_missing: true
-      tag: server_geo
+      tag: server_geo_as
   - rename:
       field: server.as.asn
       target_field: server.as.number
@@ -83,7 +83,7 @@ processors:
         - asn
         - organization_name
       ignore_missing: true
-      tag: client_geo
+      tag: client_geo_as
   - rename:
       field: client.as.asn
       target_field: client.as.number

From 7e1735f75d381ace776675107e3d1c1ba1ebe7e8 Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 13:57:53 +0000
Subject: [PATCH 16/23] Corrected typo in agent config

---
 packages/endace/data_stream/flow/agent/stream/flow.yml.hbs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
index c7c3a8ce262..b45b6edf849 100644
--- a/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
+++ b/packages/endace/data_stream/flow/agent/stream/flow.yml.hbs
@@ -13,7 +13,7 @@ fields:
     endace_url: {{ endace_url }}
     endace_datasources: {{ endace_datasources }}
     endace_tools: {{ endace_tools }}
-    endace_lookback": {{ endace_lookback }}
+    endace_lookback: {{ endace_lookback }}
 {{#if tags}}
 tags:
 {{#each tags as |tag|}}

From 667677bc102d29658c2c86ed542d21aeb491173e Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 13:58:30 +0000
Subject: [PATCH 17/23] Updated owners of this package to include upstream
 owener of the Flow datastream

---
 .github/CODEOWNERS | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 3c765988f50..9a441adddec 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -152,7 +152,9 @@
 /packages/elastic_agent @elastic/elastic-agent
 /packages/elastic_package_registry @elastic/ecosystem
 /packages/elasticsearch @elastic/stack-monitoring
-/packages/endace @elastic/sec-deployment-and-devices
+/packages/endace @elastic/sec-deployment-and-devices @elastic/sec-linux-platform
+/packages/endace/data_stream/flow @elastic/sec-linux-platform
+/packages/endace/data_stream/ @elastic/sec-deployment-and-devices
 /packages/enterprisesearch @elastic/stack-monitoring
 /packages/entityanalytics_ad @elastic/security-service-integrations
 /packages/entityanalytics_entra_id @elastic/security-service-integrations

From 04cb6d42fc8b4ba877472508018a56ac2d74c53e Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 20:00:16 +0000
Subject: [PATCH 18/23] updated docs

---
 packages/endace/_dev/build/docs/README.md | 30 ++++++++++++++++++++++
 packages/endace/docs/README.md            | 31 +++++++++++++++++++++++
 2 files changed, 61 insertions(+)

diff --git a/packages/endace/_dev/build/docs/README.md b/packages/endace/_dev/build/docs/README.md
index 9a6460ee4b9..d1a792f65de 100644
--- a/packages/endace/_dev/build/docs/README.md
+++ b/packages/endace/_dev/build/docs/README.md
@@ -4,6 +4,36 @@ Endace is a company known for its network recording, traffic capture, and analys
 This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace.   
 
 
+## Additional Setup
+
+### Dataview
+Once the integration is deployed, in order for the pivot link to be clickable to format for the `event.reference` field needs to be set, this can be done via Kibana Dev Tools and making the following request:
+```
+POST kbn:/api/data_views/data_view/logs-*/fields
+{
+    "fields": {
+        "event.reference": {
+            "format":{
+              "id": "url"
+            }
+        }
+    }
+}
+```
+
+### IP Reputation
+When in Elastic Security users are able to quickly lookup information about IPs from external services, to add Endace as an IP Reputation lookup service run the following in Kibana Dev Tools. Ensure to replace `<Your Endace appliance url>` with your Endace appliance URL.
+
+```
+POST kbn:/api/kibana/settings
+{"changes":{"securitySolution:ipReputationLinks": """[
+  { "name": "Endace", "url_template": "https://<Your Endace appliance url>/vision2/v1/pivotintovision/?datasources=tag:all&title=Untitled&reltime=12h&sip={{`{{ip}}`}}&tools=conversations_by_ipaddress" },
+  { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{`{{ip}}`}}" },
+  { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{`{{ip}}`}}" }
+]"""}}
+```
+
+
 ## Integration Variables
 #### `endace_url`
 The base URL for Endace UI. Example: https://myvprobe.com
diff --git a/packages/endace/docs/README.md b/packages/endace/docs/README.md
index 99fdadc924c..e0426775db6 100644
--- a/packages/endace/docs/README.md
+++ b/packages/endace/docs/README.md
@@ -4,6 +4,36 @@ Endace is a company known for its network recording, traffic capture, and analys
 This integration allows users to ingest Network flow data from either Endace Flow via syslog input or use Elastic Agent to generate and ship Network Flow data to an Elastic deployment. Both of these methods add the `event.reference` field to each event when ingested into Elasticsearch which is a URL used to pivot to Endace.   
 
 
+## Additional Setup
+
+### Dataview
+Once the integration is deployed, in order for the pivot link to be clickable to format for the `event.reference` field needs to be set, this can be done via Kibana Dev Tools and making the following request:
+```
+POST kbn:/api/data_views/data_view/logs-*/fields
+{
+    "fields": {
+        "event.reference": {
+            "format":{
+              "id": "url"
+            }
+        }
+    }
+}
+```
+
+### IP Reputation
+When in Elastic Security users are able to quickly lookup information about IPs from external services, to add Endace as an IP Reputation lookup service run the following in Kibana Dev Tools. Ensure to replace `<Your Endace appliance url>` with your Endace appliance URL.
+
+```
+POST kbn:/api/kibana/settings
+{"changes":{"securitySolution:ipReputationLinks": """[
+  { "name": "Endace", "url_template": "https://<Your Endace appliance url>/vision2/v1/pivotintovision/?datasources=tag:all&title=Untitled&reltime=12h&sip={{ip}}&tools=conversations_by_ipaddress" },
+  { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}" },
+  { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}" }
+]"""}}
+```
+
+
 ## Integration Variables
 #### `endace_url`
 The base URL for Endace UI. Example: https://myvprobe.com
@@ -202,6 +232,7 @@ The default value is 10s.
 | event.duration | Duration of the event in nanoseconds. If `event.start` and `event.end` are known this value should be the difference between the end and start time. | long |
 | event.end | `event.end` contains the date when the event ended or when the activity was last observed. | date |
 | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword |
+| event.reference | Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword |
 | event.start | `event.start` contains the date when the event started or when the activity was first observed. | date |
 | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
 | flow.final | Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. | boolean |

From d6d46722f62774d735cef8a6884cbb3de365903a Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 20:00:58 +0000
Subject: [PATCH 19/23] Added reference field

---
 packages/endace/data_stream/flow/fields/ecs.yml | 2 ++
 packages/endace/data_stream/log/fields/ecs.yml  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/packages/endace/data_stream/flow/fields/ecs.yml b/packages/endace/data_stream/flow/fields/ecs.yml
index 7b52299ab76..dbc20b5c446 100644
--- a/packages/endace/data_stream/flow/fields/ecs.yml
+++ b/packages/endace/data_stream/flow/fields/ecs.yml
@@ -26,6 +26,8 @@
   name: event.end
 - external: ecs
   name: event.kind
+- external: ecs
+  name: event.reference
 - external: ecs
   name: event.start
 - external: ecs
diff --git a/packages/endace/data_stream/log/fields/ecs.yml b/packages/endace/data_stream/log/fields/ecs.yml
index c25e61cef3c..d53120fc686 100644
--- a/packages/endace/data_stream/log/fields/ecs.yml
+++ b/packages/endace/data_stream/log/fields/ecs.yml
@@ -221,6 +221,8 @@
   name: event.outcome
 - external: ecs
   name: event.provider
+- external: ecs
+  name: event.reference
 - external: ecs
   name: event.risk_score
 - external: ecs

From 154d45f0c1c8e5a28ca97ec2ac7efe64fc682f4e Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 21:51:28 +0000
Subject: [PATCH 20/23] Fixed pipeline tags, operator grouping and tests

---
 .../test-flow-events.json-expected.json       | 10 +++++++
 .../elasticsearch/ingest_pipeline/default.yml | 24 ++++++++++++++---
 .../elasticsearch/ingest_pipeline/endace.yml  | 10 +++----
 ...test-netflow-log-events.json-expected.json |  2 ++
 .../elasticsearch/ingest_pipeline/default.yml | 26 ++++++++++++++++---
 .../ingest_pipeline/endace-netflow.yml        | 10 +++----
 6 files changed, 66 insertions(+), 16 deletions(-)

diff --git a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
index 40744a87df2..d237ef69fa7 100644
--- a/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
+++ b/packages/endace/data_stream/flow/_dev/test/pipeline/test-flow-events.json-expected.json
@@ -1261,6 +1261,7 @@
                 "end": "2024-07-01T10:49:44.684Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=127.0.0.1",
                 "start": "2024-07-01T10:48:39.852Z",
                 "type": [
                     "connection"
@@ -1385,6 +1386,7 @@
                 "end": "2024-07-01T10:49:40.076Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830619852&end=1719831280076&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144",
                 "start": "2024-07-01T10:48:39.852Z",
                 "type": [
                     "connection"
@@ -1524,6 +1526,7 @@
                 "end": "2024-07-01T10:49:41.100Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620363&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144",
                 "start": "2024-07-01T10:48:40.363Z",
                 "type": [
                     "connection"
@@ -1643,6 +1646,7 @@
                 "end": "2024-07-01T10:49:41.100Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144",
                 "start": "2024-07-01T10:48:40.364Z",
                 "type": [
                     "connection"
@@ -1738,6 +1742,7 @@
                 "end": "2024-07-01T10:49:45.708Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830620364&end=1719831285708&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=127.0.0.1",
                 "start": "2024-07-01T10:48:40.364Z",
                 "type": [
                     "connection"
@@ -1863,6 +1868,7 @@
                 "end": "2024-07-01T10:49:41.100Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831281100&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144",
                 "start": "2024-07-01T10:48:41.388Z",
                 "type": [
                     "connection"
@@ -1982,6 +1988,7 @@
                 "end": "2024-07-01T10:49:48.268Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621388&end=1719831288268&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=81.2.69.144",
                 "start": "2024-07-01T10:48:41.388Z",
                 "type": [
                     "connection"
@@ -2077,6 +2084,7 @@
                 "end": "2024-07-01T10:49:49.292Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830621900&end=1719831289292&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=10.100.0.29",
                 "start": "2024-07-01T10:48:41.900Z",
                 "type": [
                     "connection"
@@ -2178,6 +2186,7 @@
                 "end": "2024-07-01T10:49:42.124Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622412&end=1719831282124&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=127.0.0.1",
                 "start": "2024-07-01T10:48:42.412Z",
                 "type": [
                     "connection"
@@ -2285,6 +2294,7 @@
                 "end": "2024-07-01T10:49:44.684Z",
                 "ingested": "2024-07-01T10:49:51Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=1719830622924&end=1719831284684&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=169.254.169.254",
                 "start": "2024-07-01T10:48:42.924Z",
                 "type": [
                     "connection"
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
index ba5d9cec8d7..be13b30eea8 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/default.yml
@@ -4,6 +4,7 @@ processors:
 - set:
     field: ecs.version
     value: '8.11.0'
+    tag: set_ecs_version
 
 # ECS compatibility pipeline
 - pipeline:
@@ -21,20 +22,26 @@ processors:
     replacement: ''
     ignore_missing: true
     tag: gsub_host_mac_remove_seperators
+
 - gsub:
     field: host.mac
     pattern: '(..)(?!$)'
     replacement: '$1-'
     ignore_missing: true
     tag: gsub_host_mac
+
 - uppercase:
     field: host.mac
     ignore_missing: true
+    tag: uppercase_host_mac
+
 - append:
     field: related.hosts
     value: "{{{observer.hostname}}}"
     if: ctx.observer?.hostname != null && ctx.observer.hostname != ''
     allow_duplicates: false
+    tag: append_observer_hostname
+
 - foreach:
     if: ctx.observer?.ip != null && ctx.observer.ip instanceof List
     tag: foreach_observer_ip
@@ -44,53 +51,64 @@ processors:
         field: related.ip
         value: '{{{_ingest._value}}}'
         allow_duplicates: false
+
 - remove:
     if: ctx.host != null && ctx.tags != null && ctx.tags.contains('forwarded')
     field: host
+    tag: remove_host_if_forwarded
+
 - gsub:
     field: source.mac
     pattern: '[-:.]'
     replacement: ''
     ignore_missing: true
     tag: gsub_source_mac_remove_seperators
+
 - gsub:
     field: source.mac
     pattern: '(..)(?!$)'
     replacement: '$1-'
     ignore_missing: true
     tag: gsub_source_mac
+
 - uppercase:
     field: source.mac
     ignore_missing: true
+    tag: uppercase_source_mac
+
 - gsub:
     field: destination.mac
     pattern: '[-:.]'
     replacement: ''
     ignore_missing: true
     tag: gsub_destination_mac_remove_seperators
+
 - gsub:
     field: destination.mac
     pattern: '(..)(?!$)'
     replacement: '$1-'
     ignore_missing: true
     tag: gsub_destination_mac
+
 - uppercase:
     field: destination.mac
     ignore_missing: true
+    tag: uppercase_destination_mac
 
 - pipeline:
     if: ctx._conf?.geoip_enrich != null && ctx._conf.geoip_enrich
     name: '{{ IngestPipeline "geoip" }}'
-    tag: pipeline_processor
+    tag: pipeline_processor_geoip
 
 - pipeline:
     name: '{{ IngestPipeline "endace" }}'
-    tag: pipeline_processor
-    if: ctx.source?.ip != null && ctx.destination?.ip != null && ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0'
+    if: (ctx.source?.ip != null || ctx.destination?.ip != null) && (ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0')
+    tag: pipeline_processor_endace
 
 - remove:
     field: _conf
     ignore_missing: true
+    tag: remove_conf
 
 on_failure:
   - append:
diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
index 6d75d46036a..cec04f8a4bf 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
@@ -5,21 +5,21 @@ processors:
       description: "Set IP Conversation if both destination.ip and source.ip are present"
       field: _conf.ip_conv
       value: "ip_conv={{ source.ip }}%26{{ destination.ip }}"
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && (ctx.source?.ip != null && ctx.source?.ip != '')
       tag: endace conversation set
   
   - set: 
       description: "Set IP Conversation if only destination.ip is present"
       field: _conf.ip_conv
       value: "ip={{ destination.ip }}"
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && (ctx.source?.ip == null || ctx.source?.ip == '')
+      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '')
       tag: endace destination ip set
 
   - set: 
       description: "Set IP Conversation if only source.ip is present"
       field: _conf.ip_conv
       value: "ip={{ source.ip }}"
-      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && ctx.source?.ip != null && ctx.source?.ip != ''
+      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source?.ip != '')
       tag: endace source ip set
 
   - date:
@@ -60,13 +60,13 @@ processors:
       source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2"
       tag: "Calculate Endtime as Timestamp + half of Timedelta"
       description: "Calculate Endtime"
-      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+      if: (ctx._conf?.event?.end != null && ctx._conf?.event?.end != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
 
   - script:
       source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2"
       tag: "Calculate Starttime as Timestamp - half of Timedelta"
       description: "Calculate Endtime"
-      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+      if: (ctx._conf?.event?.start != null && ctx._conf?.event?.start != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
 
   - set:
       field: event.reference
diff --git a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
index 1bfc4cf0254..3bfddfa3d57 100644
--- a/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
+++ b/packages/endace/data_stream/log/_dev/test/pipeline/test-netflow-log-events.json-expected.json
@@ -29,6 +29,7 @@
                 ],
                 "created": "2021-05-19T09:08:51.938Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=&end=&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=10.36.236.100",
                 "type": [
                     "connection"
                 ]
@@ -138,6 +139,7 @@
                 ],
                 "created": "2021-05-19T09:08:51.938Z",
                 "kind": "event",
+                "reference": "https://test.test.local/vision2/pivotintovision/?title=endace_pivot&datasources=tag:rotation-file&start=&end=&tools=trafficOverTime_by_app,conversations_by_ipaddress&ip=10.127.32.11",
                 "type": [
                     "connection"
                 ]
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index f01170ba54e..978620ce9dc 100644
--- a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -5,69 +5,83 @@ processors:
   - set:
       field: ecs.version
       value: '8.11.0'
+      tag: add_ecs_version
   - convert:
       field: network.iana_number
       type: string
       ignore_missing: true
       ignore_failure: true
+      tag: convert_network_iana_number
   - rename:
       field: observer.ip
       target_field: _tmp_.observer.ip
       ignore_missing: true
+      tag: rename_observer_ip
   - append:
       field: observer.ip
       value: '{{_tmp_.observer.ip}}'
       if: ctx._tmp_?.observer?.ip != null
+      tag: append_observer_ip
   - set:
       field: event.category
       value:
         - network
         - session
       if: ctx.event?.category != null && ctx.event?.category == "network_session"
+      tag: set_event_category
   - set: 
       field: network.type
       value: ipv4
       if: ctx.netflow?.source_ipv4_address != null || ctx.netflow?.destination_ipv4_address != null
+      tag: set_network_type_ipv4
   - set: 
       field: network.type
       value: ipv6
       if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == null
+      tag: set_network_type_ipv6
   - append: 
       field: network.type
       value: ipv6
       if: (ctx.netflow?.source_ipv6_address != null || ctx.netflow?.destination_ipv6_address != null) && ctx.network?.type == "ipv4"
+      tag: append_network_type_ipv6
   - set:
       field: network.direction
       value: inbound
       if: ctx.source?.locality == "external" && ctx.destination?.locality == "internal"
+      tag: set_network_direction_inbound
   - set:
       field: network.direction
       value: outbound
       if: ctx.source?.locality == "internal" && ctx.destination?.locality == "external"
+      tag: set_network_direction_outbound
   - set:
       field: network.direction
       value: internal
       if: ctx.source?.locality == "internal" && ctx.destination?.locality == "internal"
+      tag: set_network_direction_internal
   - set:
       field: network.direction
       value: external
       if: ctx.source?.locality == "external" && ctx.destination?.locality == "external"
+      tag: set_network_direction_external
   - set:
       field: network.direction
       value: unknown
       if: ctx.network?.direction == null
-
+      tag: set_network_direction
   # IP Geolocation Lookup
   - geoip:
       if: ctx.source?.geo == null
       field: source.ip
       target_field: source.geo
       ignore_missing: true
+      tag: geoip_source_lookup
   - geoip:
       if: ctx.destination?.geo == null
       field: destination.ip
       target_field: destination.geo
-      ignore_missing: true 
+      ignore_missing: true
+      tag: geoip_destination_lookup 
 
   # IP Autonomous System (AS) Lookup
   - geoip:
@@ -78,6 +92,7 @@ processors:
           - asn
           - organization_name
       ignore_missing: true
+      tag: geoip_source_as_lookup
   - geoip:
       database_file: GeoLite2-ASN.mmdb
       field: destination.ip
@@ -86,22 +101,27 @@ processors:
           - asn
           - organization_name
       ignore_missing: true
+      tag: geoip_dest_as_lookup
   - rename:
       field: source.as.asn
       target_field: source.as.number
       ignore_missing: true
+      tag: rename_source_as_field_asn
   - rename:
       field: source.as.organization_name
       target_field: source.as.organization.name
       ignore_missing: true
+      tag: rename_source_as_field_org
   - rename:
       field: destination.as.asn
       target_field: destination.as.number
       ignore_missing: true
+      tag: rename_as_field_asn
   - rename:
       field: destination.as.organization_name
       target_field: destination.as.organization.name
       ignore_missing: true
+      tag: rename_as_field_org
   - remove:
       field: 
         - _tmp_
@@ -109,7 +129,7 @@ processors:
   - pipeline:
       name: '{{ IngestPipeline "endace-netflow" }}'
       tag: pipeline_processor
-      if: ctx.source?.ip != null && ctx.destination?.ip != null && ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0'
+      if: (ctx.source?.ip != null || ctx.destination?.ip != null) && (ctx.source?.ip != '0.0.0.0' && ctx.destination?.ip != '0.0.0.0')
   - remove:
       field: "_conf"
 on_failure:
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
index 14fe2e9fc9b..4ae2420ff1a 100644
--- a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
@@ -5,21 +5,21 @@ processors:
       description: "Set IP Conversation if both destination.ip and source.ip are present"
       field: _conf.ip_conv
       value: "ip_conv={{ source.ip }}%26{{ destination.ip }}"
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && ctx.source?.ip != null && ctx.source?.ip != ''
+      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && ( ctx.source?.ip != null && ctx.source?.ip != '' )
       tag: endace conversation set
 
   - set:
       description: "Set IP Conversation if only destination.ip is present"
       field: _conf.ip_conv
       value: "ip={{ destination.ip }}"
-      if: ctx.destination?.ip != null && ctx.destination?.ip != '' && (ctx.source?.ip == null || ctx.source?.ip == '')
+      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '')
       tag: endace destination ip set
 
   - set:
       description: "Set IP Conversation if only source.ip is present"
       field: _conf.ip_conv
       value: "ip={{ source.ip }}"
-      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && ctx.source?.ip != null && ctx.source?.ip != ''
+      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source?.ip != '')
       tag: endace source ip set
 
   - date:
@@ -60,13 +60,13 @@ processors:
       source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2"
       tag: "Calculate Endtime as Timestamp + half of Timedelta"
       description: "Calculate Endtime + half of lookback"
-      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+      if: (ctx._conf?.event?.end != null && ctx._conf?.event?.end != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
 
   - script:
       source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2"
       tag: "Calculate Starttime as Timestamp - half of Timedelta"
       description: "Calculate Endtime minus half of Timedelta"
-      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != '' && ctx._conf?.timedelta != null && ctx._conf?.timedelta != ''
+      if: (ctx._conf?.event?.start != null && ctx._conf?.event?.start != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
 
   - set:
       field: event.reference

From fafac5045175db7505177c99ffeb9b9290dd9ef5 Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 22:07:04 +0000
Subject: [PATCH 21/23] Removed redundant ? operators

---
 .../elasticsearch/ingest_pipeline/endace.yml  | 20 ++++++++---------
 .../ingest_pipeline/endace-netflow.yml        | 22 +++++++++----------
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
index cec04f8a4bf..d6a1399695e 100644
--- a/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
+++ b/packages/endace/data_stream/flow/elasticsearch/ingest_pipeline/endace.yml
@@ -12,14 +12,14 @@ processors:
       description: "Set IP Conversation if only destination.ip is present"
       field: _conf.ip_conv
       value: "ip={{ destination.ip }}"
-      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '')
+      if: (ctx.destination?.ip != null && ctx.destination.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '')
       tag: endace destination ip set
 
   - set: 
       description: "Set IP Conversation if only source.ip is present"
       field: _conf.ip_conv
       value: "ip={{ source.ip }}"
-      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source?.ip != '')
+      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source.ip != '')
       tag: endace source ip set
 
   - date:
@@ -28,13 +28,13 @@ processors:
       formats: ["ISO8601"]
       target_field: _conf.event.start
       output_format: epoch_millis
-      if: ctx.event?.start != null && ctx.event?.start != ''
+      if: ctx.event?.start != null && ctx.event.start != ''
 
   - convert:
       field: _conf.event.start
       type: long
       description: "Convert Start time to Long"
-      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
+      if: ctx._conf?.event?.start != null && ctx._conf.event.start != ''
 
   - date:
       description: "Convert End time to Epoch"
@@ -42,38 +42,38 @@ processors:
       formats: ["ISO8601"]
       target_field: _conf.event.end
       output_format: epoch_millis
-      if: ctx.event?.end != null && ctx.event?.end != ''
+      if: ctx.event?.end != null && ctx.event.end != ''
 
   - convert:
       field: _conf.event.end
       type: long
       description: "Convert End time to Long"
-      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
+      if: ctx._conf?.event?.end != null && ctx._conf.event.end != ''
 
   - script:
       source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
       tag: "Calculate Timedelta"
       description: "Calculate Timedelta"
-      if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
+      if: ctx._conf?.endace_lookback != null && ctx._conf.endace_lookback != ''
 
   - script:
       source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2"
       tag: "Calculate Endtime as Timestamp + half of Timedelta"
       description: "Calculate Endtime"
-      if: (ctx._conf?.event?.end != null && ctx._conf?.event?.end != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
+      if: (ctx._conf?.event?.end != null && ctx._conf.event.end != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '')
 
   - script:
       source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2"
       tag: "Calculate Starttime as Timestamp - half of Timedelta"
       description: "Calculate Endtime"
-      if: (ctx._conf?.event?.start != null && ctx._conf?.event?.start != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
+      if: (ctx._conf?.event?.start != null && ctx._conf.event.start != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '')
 
   - set:
       field: event.reference
       value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
       ignore_empty_value: true
       tag: endace reference url
-      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') || (ctx.source?.ip != null && ctx.source?.ip != '')
+      if: (ctx.destination?.ip != null && ctx.destination.ip != '') || (ctx.source?.ip != null && ctx.source.ip != '')
       description: "Create P2V URL"
 
 on_failure:
diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
index 4ae2420ff1a..081b576785c 100644
--- a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/endace-netflow.yml
@@ -5,21 +5,21 @@ processors:
       description: "Set IP Conversation if both destination.ip and source.ip are present"
       field: _conf.ip_conv
       value: "ip_conv={{ source.ip }}%26{{ destination.ip }}"
-      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && ( ctx.source?.ip != null && ctx.source?.ip != '' )
+      if: (ctx.destination?.ip != null && ctx.destination.ip != '') && ( ctx.source?.ip != null && ctx.source.ip != '' )
       tag: endace conversation set
 
   - set:
       description: "Set IP Conversation if only destination.ip is present"
       field: _conf.ip_conv
       value: "ip={{ destination.ip }}"
-      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '')
+      if: (ctx.destination?.ip != null && ctx.destination.ip != '') && (ctx.source?.ip == null || ctx.source?.ip == '')
       tag: endace destination ip set
 
   - set:
       description: "Set IP Conversation if only source.ip is present"
       field: _conf.ip_conv
       value: "ip={{ source.ip }}"
-      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source?.ip != '')
+      if: (ctx.destination?.ip == null || ctx.destination?.ip == '') && (ctx.source?.ip != null && ctx.source.ip != '')
       tag: endace source ip set
 
   - date:
@@ -28,13 +28,13 @@ processors:
       formats: ["ISO8601"]
       target_field: _conf.event.start
       output_format: epoch_millis
-      if: ctx.netflow?.flow_start_milliseconds != null && ctx.netflow?.flow_start_milliseconds != ''
+      if: ctx.netflow?.flow_start_milliseconds != null && ctx.netflow.flow_start_milliseconds != ''
 
   - convert:
       field: _conf.event.start
       type: long
       description: "Convert Start time to Long"
-      if: ctx._conf?.event?.start != null && ctx._conf?.event?.start != ''
+      if: ctx._conf?.event?.start != null && ctx._conf.event.start != ''
 
   - date:
       description: "Convert End time to Epoch"
@@ -42,36 +42,36 @@ processors:
       formats: ["ISO8601"]
       target_field: _conf.event.end
       output_format: epoch_millis
-      if: ctx.netflow?.flow_end_milliseconds != null && ctx.netflow?.flow_end_milliseconds != ''
+      if: ctx.netflow?.flow_end_milliseconds != null && ctx.netflow.flow_end_milliseconds != ''
 
   - convert:
       field: _conf.event.end
       type: long
       description: "Convert End time to Long"
-      if: ctx._conf?.event?.end != null && ctx._conf?.event?.end != ''
+      if: ctx._conf?.event?.end != null && ctx._conf.event.end != ''
 
   - script:
       source: "ctx._conf.timedelta = ctx._conf.endace_lookback * 60 * 1000"
       tag: "Calculate Timedelta"
       description: "Calculate Timedelta"
-      if: ctx._conf?.endace_lookback != null && ctx._conf?.endace_lookback != ''
+      if: ctx._conf?.endace_lookback != null && ctx._conf.endace_lookback != ''
 
   - script:
       source: "ctx._conf.event.end = ctx._conf.event.end + ctx._conf.timedelta/2"
       tag: "Calculate Endtime as Timestamp + half of Timedelta"
       description: "Calculate Endtime + half of lookback"
-      if: (ctx._conf?.event?.end != null && ctx._conf?.event?.end != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
+      if: (ctx._conf?.event?.end != null && ctx._conf.event.end != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '')
 
   - script:
       source: "ctx._conf.event.start = ctx._conf.event.start - ctx._conf.timedelta/2"
       tag: "Calculate Starttime as Timestamp - half of Timedelta"
       description: "Calculate Endtime minus half of Timedelta"
-      if: (ctx._conf?.event?.start != null && ctx._conf?.event?.start != '') && (ctx._conf?.timedelta != null && ctx._conf?.timedelta != '')
+      if: (ctx._conf?.event?.start != null && ctx._conf.event.start != '') && (ctx._conf?.timedelta != null && ctx._conf.timedelta != '')
 
   - set:
       field: event.reference
       value: "{{ _conf.endace_url}}/vision2/pivotintovision/?title=endace_pivot&datasources={{_conf.endace_datasources }}&start={{ _conf.event.start }}&end={{ _conf.event.end }}&tools={{ _conf.endace_tools }}&{{ _conf.ip_conv }}"
       ignore_empty_value: true
       tag: endace reference url
-      if: (ctx.destination?.ip != null && ctx.destination?.ip != '') || (ctx.source?.ip != null && ctx.source?.ip != '')
+      if: (ctx.destination?.ip != null && ctx.destination.ip != '') || (ctx.source?.ip != null && ctx.source.ip != '')
       description: "Create P2V URL"

From 505622d2f10f0d11b4838c991525941bd63dbd72 Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Mon, 22 Jul 2024 23:13:57 +0100
Subject: [PATCH 22/23] Update CODEOWNERS

---
 .github/CODEOWNERS | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 9a441adddec..0bc8a980149 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -154,7 +154,7 @@
 /packages/elasticsearch @elastic/stack-monitoring
 /packages/endace @elastic/sec-deployment-and-devices @elastic/sec-linux-platform
 /packages/endace/data_stream/flow @elastic/sec-linux-platform
-/packages/endace/data_stream/ @elastic/sec-deployment-and-devices
+/packages/endace/data_stream/log @elastic/sec-deployment-and-devices
 /packages/enterprisesearch @elastic/stack-monitoring
 /packages/entityanalytics_ad @elastic/security-service-integrations
 /packages/entityanalytics_entra_id @elastic/security-service-integrations

From f1405b0d6e950b5752a9b0efa8cdb98a1e2156bf Mon Sep 17 00:00:00 2001
From: James Garside <james@jgarside.co.uk>
Date: Fri, 26 Jul 2024 16:51:10 +0100
Subject: [PATCH 23/23] Add failure

Co-authored-by: Taylor Swanson <90622908+taylor-swanson@users.noreply.github.com>
---
 .../data_stream/log/elasticsearch/ingest_pipeline/default.yml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
index 978620ce9dc..a781774a3ee 100644
--- a/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
+++ b/packages/endace/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -138,4 +138,4 @@ on_failure:
       value: pipeline_error
   - append:
       field: error.message
-      value: '{{{ _ingest.on_failure_message }}}'
+      value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'