Undefined log.file.* fields breaking tests for filestream inputs #7716
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
bhapas
force-pushed
the
filestream-breaking-tests
branch
from
0720ce6
to
2e0d1b8
Compare
🌐 Coverage report
|
bhapas
force-pushed
the
filestream-breaking-tests
branch
from
9807041
to
6467d45
Compare
packages/apache_tomcat/data_stream/access/_dev/test/system/test-default-config.yml
Show resolved
Hide resolved
There was a problem hiding this comment.
The more I look at this problem I think we need to go back to the ingest team, and talk about changing the field types to be strings for the reason given in #7716 (comment). Otherwise, this will be an uphill battle to keep a consistent mapping type between integrations. As soon as an integration forgets to map these numeric fields then there will be a conflict with the integrations that do map it as keyword. Today there are 22 separate data streams associated with the filestream input that need mappings for these fields.
Secondly, the fields are uint6412 in Beats. The default mapping will be long3, and this is not the correct type because a uint64 does not fit into long (i.e. 2^64 > 2^63).
Third, this would be an opportunity to align the definitions between operating systems and propose these to ECS. Like perhaps
| Type | Unix | Windows | |
|---|---|---|---|
| log.file.device_id | string | Device ID | NTFS volume |
| log.file.inode | string | Inode number in decimal | File index number in decimal (high and low order 32-bit values combined to form a uint64) |
@rdner @ycombinator Would you be open to some changes to these fields in the input?
Footnotes
-
https://github.com/elastic/beats/blob/8ff6894cab0591cc3a898d7abd6a9103e535efdd/libbeat/common/file/file_windows.go#L32-L34 ↩
-
https://github.com/elastic/beats/blob/f0215ff5cfdbcb0db8ebc1f07af1b4885081389b/libbeat/common/file/file_other.go#L29-L30 ↩
-
https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-field-mapping.html ↩
Created an issue for this in beats elastic/beats#36695 |
|
@andrewkroh I'd like to point out 2 things:
I'm fine with reverting everything back to strings if @ycombinator is fine with it. I'm surprised adding these fields caused so many issues, apologies. Next time, I will involve integration developers into a review when we add more fields. |
|
Yep, I'm good with using strings / keywords for these fields given how they're intended to be used. |
bhapas
force-pushed
the
filestream-breaking-tests
branch
from
c103bc5
to
871d03c
Compare
|
@andrewkroh the descriptions you suggested looks perfect to me. Regarding the example file, should every event field be there? I'm asking because it's missing a few fields, for example, What's the purpose of this file exactly? |
These files drive our documentation and the Elasticsearch index templates. |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
| - name: fingerprint | ||
| type: keyword | ||
| description: The sha256 fingerprint identity of the file when fingerprinting is enabled. | ||
| - name: inode |
There was a problem hiding this comment.
Considering that these fields are currently numeric and would be changed to string as per this comment, is it fine to use keyword here as of now?
There was a problem hiding this comment.
Any JSON numeric value can be mapped as keyword in ES without conversion to a JSON string.
|
Package apache_tomcat - 0.13.0 containing this change is available at https://epr.elastic.co/search?package=apache_tomcat |
|
Package coredns - 0.5.0 containing this change is available at https://epr.elastic.co/search?package=coredns |
What does this PR do?
Issue described in #7687
Checklist
changelog.ymlfile.Related issues
log.file.*fields breaking tests forfilestreaminputs #7687