-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Undefined log.file.* fields breaking tests for filestream inputs #7716
Conversation
0720ce6
to
2e0d1b8
Compare
🌐 Coverage report
|
9807041
to
6467d45
Compare
packages/apache_tomcat/data_stream/access/_dev/test/system/test-default-config.yml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The more I look at this problem I think we need to go back to the ingest team, and talk about changing the field types to be strings for the reason given in #7716 (comment). Otherwise, this will be an uphill battle to keep a consistent mapping type between integrations. As soon as an integration forgets to map these numeric fields then there will be a conflict with the integrations that do map it as keyword
. Today there are 22 separate data streams associated with the filestream input that need mappings for these fields.
Secondly, the fields are uint64
12 in Beats. The default mapping will be long
3, and this is not the correct type because a uint64 does not fit into long (i.e. 2^64 > 2^63).
Third, this would be an opportunity to align the definitions between operating systems and propose these to ECS. Like perhaps
Type | Unix | Windows | |
---|---|---|---|
log.file.device_id | string | Device ID | NTFS volume |
log.file.inode | string | Inode number in decimal | File index number in decimal (high and low order 32-bit values combined to form a uint64) |
@rdner @ycombinator Would you be open to some changes to these fields in the input?
Footnotes
-
https://github.com/elastic/beats/blob/8ff6894cab0591cc3a898d7abd6a9103e535efdd/libbeat/common/file/file_windows.go#L32-L34 ↩
-
https://github.com/elastic/beats/blob/f0215ff5cfdbcb0db8ebc1f07af1b4885081389b/libbeat/common/file/file_other.go#L29-L30 ↩
-
https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-field-mapping.html ↩
Created an issue for this in beats elastic/beats#36695 |
@andrewkroh I'd like to point out 2 things:
I'm fine with reverting everything back to strings if @ycombinator is fine with it. I'm surprised adding these fields caused so many issues, apologies. Next time, I will involve integration developers into a review when we add more fields. |
Yep, I'm good with using strings / keywords for these fields given how they're intended to be used. |
c103bc5
to
871d03c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@andrewkroh the descriptions you suggested looks perfect to me. Regarding the example file, should every event field be there? I'm asking because it's missing a few fields, for example, What's the purpose of this file exactly? |
These files drive our documentation and the Elasticsearch index templates. |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
- name: fingerprint | ||
type: keyword | ||
description: The sha256 fingerprint identity of the file when fingerprinting is enabled. | ||
- name: inode |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering that these fields are currently numeric and would be changed to string as per this comment, is it fine to use keyword here as of now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any JSON numeric value can be mapped as keyword in ES without conversion to a JSON string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Package apache_tomcat - 0.13.0 containing this change is available at https://epr.elastic.co/search?package=apache_tomcat |
Package coredns - 0.5.0 containing this change is available at https://epr.elastic.co/search?package=coredns |
What does this PR do?
Issue described in #7687
Checklist
changelog.yml
file.Related issues
log.file.*
fields breaking tests forfilestream
inputs #7687