diff --git a/salt/elasticsearch/files/ingest/zeek.conn b/salt/elasticsearch/files/ingest/zeek.conn
index 4cca15896..14689f782 100644
--- a/salt/elasticsearch/files/ingest/zeek.conn
+++ b/salt/elasticsearch/files/ingest/zeek.conn
@@ -23,19 +23,19 @@
     { "rename": 	{ "field": "message2.resp_cc", 		"target_field": "server.country_code",	"ignore_missing": true 	} },
     { "rename": 	{ "field": "message2.sensorname", 	"target_field": "observer.name",		"ignore_missing": true 	} },
     { "script":         { "lang": "painless", "source": "ctx.network.bytes = (ctx.client.bytes + ctx.server.bytes)", "ignore_failure": true } },
-    { "set": { "if": "ctx.connection.state == 'S0'",    "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
-    { "set": { "if": "ctx.connection.state == 'S1'",    "field": "connection.state_description", "value": "Connection established, not terminated" } },
-    { "set": { "if": "ctx.connection.state == 'S2'",    "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
-    { "set": { "if": "ctx.connection.state == 'S3'",    "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
-    { "set": { "if": "ctx.connection.state == 'SF'",    "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
-    { "set": { "if": "ctx.connection.state == 'REJ'",   "field": "connection.state_description", "value": "Connection attempt rejected" } },
-    { "set": { "if": "ctx.connection.state == 'RSTO'",  "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
-    { "set": { "if": "ctx.connection.state == 'RSTR'",  "field": "connection.state_description", "value": "Established, responder aborted" } },
-    { "set": { "if": "ctx.connection.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
-    { "set": { "if": "ctx.connection.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
-    { "set": { "if": "ctx.connection.state == 'SH'",    "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
-    { "set": { "if": "ctx.connection.state == 'SHR'",   "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
-    { "set": { "if": "ctx.connection.state == 'OTH'",   "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
+    { "set": { "if": "ctx.connection?.state == 'S0'",    "field": "connection.state_description", "value": "Connection attempt seen, no reply" } },
+    { "set": { "if": "ctx.connection?.state == 'S1'",    "field": "connection.state_description", "value": "Connection established, not terminated" } },
+    { "set": { "if": "ctx.connection?.state == 'S2'",    "field": "connection.state_description", "value": "Connection established and close attempt by originator seen (but no reply from responder)" } },
+    { "set": { "if": "ctx.connection?.state == 'S3'",    "field": "connection.state_description", "value": "Connection established and close attempt by responder seen (but no reply from originator)" } },
+    { "set": { "if": "ctx.connection?.state == 'SF'",    "field": "connection.state_description", "value": "Normal SYN/FIN completion" } },
+    { "set": { "if": "ctx.connection?.state == 'REJ'",   "field": "connection.state_description", "value": "Connection attempt rejected" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTO'",  "field": "connection.state_description", "value": "Connection established, originator aborted (sent a RST)" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTR'",  "field": "connection.state_description", "value": "Established, responder aborted" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTOS0'","field": "connection.state_description", "value": "Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder" } },
+    { "set": { "if": "ctx.connection?.state == 'RSTRH'", "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator" } },
+    { "set": { "if": "ctx.connection?.state == 'SH'",    "field": "connection.state_description", "value": "Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was 'half' open)" } },
+    { "set": { "if": "ctx.connection?.state == 'SHR'",   "field": "connection.state_description", "value": "Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator" } },
+    { "set": { "if": "ctx.connection?.state == 'OTH'",   "field": "connection.state_description", "value": "No SYN seen, just midstream traffic (a 'partial connection' that was not later closed)" } },
     { "pipeline": 	{ "name": "zeek.common" } }
   ]
 }
diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary b/salt/elasticsearch/files/ingest/zeek.opcua_binary
index 4363804b4..5ce836ca6 100644
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary
@@ -14,6 +14,8 @@
     { "rename":   { "field": "message2.request_id",			"target_field": "opcua.request_id",			"ignore_missing": true } },
     { "rename":   { "field": "message2.namespace_idx",			"target_field": "opcua.namespace_index",		"ignore_missing": true } },
     { "rename":   { "field": "message2.encoding_mask",			"target_field": "opcua.encoding_mask",			"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask", 			"type": "string",
+ "ignore_missing": true } },
     { "rename":   { "field": "message2.identifier",			"target_field": "opcua.identifier",			"ignore_missing": true } },
     { "rename":   { "field": "message2.identifier_str",			"target_field": "opcua.identifier_string",		"ignore_missing": true } },
     { "rename":   { "field": "message2.req_hdr_node_id_type",		"target_field": "opcua.request.header.node.id_type",	"ignore_missing": true } },
diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
index c4bfeeed1..81f8e9392 100644
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_activate_session
@@ -6,6 +6,7 @@
     { "rename":   { "field": "message2.opcua_link_id",                 "target_field": "opcua.link_id",                 "ignore_missing": true } },
     { "rename":   { "field": "message2.ext_obj_type_id_namespace_idx", "target_field": "opcua.namespace_index",         "ignore_missing": true } },
     { "rename":   { "field": "message2.ext_obj_type_id_encoding_mask", "target_field": "opcua.encoding_mask",           "ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",                    "type": "string",                                "ignore_missing": true } },
     { "rename":   { "field": "message2.ext_obj_type_id_numeric",       "target_field": "opcua.identifier_numeric",      "ignore_missing": true } },
     { "rename":   { "field": "message2.ext_obj_type_id_str",           "target_field": "opcua.identifier_string",       "ignore_missing": true } },
     { "rename":   { "field": "message2.ext_obj_encoding",              "target_field": "opcua.encoding",                "ignore_missing": true } },
diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
index 83d388082..f6e2f3630 100644
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_browse
@@ -6,6 +6,8 @@
     { "rename":   { "field": "message2.opcua_link_id",				"target_field": "opcua.link_id",			"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_service_type",			"target_field": "opcua.service_type",			"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_id_encoding_mask",		"target_field": "opcua.encoding_mask",			"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",                             "type": "string",
+         "ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_id_numeric",			"target_field": "opcua.identifier_numeric",		"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_description_timestamp",	"target_field": "opcua.view.description_timestamp",	"ignore_missing": true } },
     { "rename":   { "field": "message2.browse_view_description_view_version",	"target_field": "opcua.description.view_version",	"ignore_missing": true } },
diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
index 79d8ac067..0511211d5 100644
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_create_session_endpoints
@@ -8,6 +8,7 @@
     { "rename":   { "field": "message2.application_uri",	"target_field": "opcua.application_uri",	"ignore_missing": true } },
     { "rename":   { "field": "message2.product_uri",		"target_field": "opcua.product_uri",		"ignore_missing": true } },
     { "rename":   { "field": "message2.encoding_mask",		"target_field": "opcua.encoding_mask",		"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",             "type": "string",                               "ignore_missing": true } },
     { "rename":   { "field": "message2.locale",			"target_field": "opcua.locale",			"ignore_missing": true } },
     { "rename":   { "field": "message2.text",			"target_field": "opcua.text",			"ignore_missing": true } },
     { "rename":   { "field": "message2.application_type",	"target_field": "opcua.application_type",	"ignore_missing": true } },
diff --git a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
index 072d6bd31..b467196de 100644
--- a/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
+++ b/salt/elasticsearch/files/ingest/zeek.opcua_binary_get_endpoints_description
@@ -8,6 +8,8 @@
     { "rename":   { "field": "message2.endpoint_uri",			"target_field": "opcua.endpoint_uri",			"ignore_missing": true } },
     { "rename":   { "field": "message2.product_uri",			"target_field": "opcua.product_uri",			"ignore_missing": true } },
     { "rename":   { "field": "message2.encoding_mask",			"target_field": "opcua.encoding_mask",			"ignore_missing": true } },
+    { "convert":  { "field": "opcua.encoding_mask",                     "type": "string",
+ "ignore_missing": true } },
     { "rename":   { "field": "message2.locale",				"target_field": "opcua.locale",				"ignore_missing": true } },
     { "rename":   { "field": "message2.text",				"target_field": "opcua.text",				"ignore_missing": true } },
     { "rename":   { "field": "message2.application_type",		"target_field": "opcua.application_type",		"ignore_missing": true } },