[Infoblox_nios]: missing dns.query.name for message containing ECS option suffix

[vinit-chauhan]

Proposed commit message

The Infoblox NIOS DNS pipeline was silently dropping all parsed DNS question fields (dns.question.name, dns.question.class, dns.question.type, and related ECS fields) for any query log line that included an EDNS Client Subnet (ECS) option suffix such as [ECS 89.160.20.112/24/0]. The root cause was a Grok pattern in pipeline_dns.yml that anchored with $ immediately after the server IP address in parentheses, so any line with the trailing [ECS ...] bracket failed to match that pattern entirely and fell through to a catch-all, losing all structured DNS fields.

The fix makes the ECS suffix optional in the Grok pattern by appending (?:\s*%{ECS_CLIENT_SUBNET})?$ to the query line pattern. A new named pattern definition, ECS_CLIENT_SUBNET, matches the full [ECS <ip>[/<prefix_len>[/<scope_prefix_len>]]] structure, capturing the subnet IP, prefix length, and scope prefix length into new fields under infoblox_nios.log.dns.ecs_client_subnet. A convert processor coerces the captured IP string to the ip type (with an on_failure guard that removes the field and appends to error.message), and an append processor adds the ECS client subnet IP to related.ip.

Three new structured fields are declared in fields.yml under infoblox_nios.log.dns.ecs_client_subnet (ip, prefix_length, scope_prefix_length) and documented in README.md. Three new pipeline test cases cover the fixed behaviour: an IPv6 client with a full ip/prefix/scope ECS tuple, an IPv4 client with a full ECS tuple, and an IPv4 client with an IP-only ECS suffix (no prefix lengths). The package is bumped from 2.1.1 to 2.1.2 with a corresponding changelog.yml entry.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• Verify the updated Grok pattern in pipeline_dns.yml correctly parses both plain query lines (no ECS suffix) and lines with [ECS ip/prefix/scope] or [ECS ip] suffixes, and that dns.question.name is populated in all three cases.
• Confirm the new ECS_CLIENT_SUBNET pattern definition handles the optional prefix-length and scope-prefix-length segments without over-matching or under-matching.
• Check that infoblox_nios.log.dns.ecs_client_subnet.ip is appended to related.ip and that the convert processor's on_failure path removes the field cleanly when the value is not a valid IP.
• Confirm the changelog.yml entry is present and the manifest.yml version is bumped to 2.1.2.

How to test this PR locally

# From the repository root
cd packages/infoblox_nios

# Format and lint
elastic-package format
elastic-package lint

# Build the package
elastic-package build

# Run pipeline tests (covers the three new ECS client subnet test cases)
elastic-package test pipeline --data-streams log

Related issues

• Closes [Infoblox_nios]: missing dns.query.name for message containing -E(0)D #16626

Screenshots

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 6e70381

[infra-vault-gh-plugin-prod]

Pinging @elastic/integration-experience (Team:Integration-Experience)