Replace read_timestamp with event.created in all remaining Filebeat modules #10139
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Test failures are related: For Kibana, Redis and Kafka |
|
@ycombinator In migrating |
ruflin
approved these changes
Jan 17, 2019
|
Thanks for fixing up the Kibana pipeline, @webmat! Would it be worth adding a special mention about this breaking change in the CHANGELOG? |
added 11 commits
January 17, 2019 20:40
- iis.error - nginx.access - osquery - traefik.access
- read_timestamp can be aliased in 6.x for forward compatibility - it was present twice in the file, now only present once at the beginning, with other common fields
Will modify both entries to identify the only two beats affected, instead. This reverts commit 4ee063a3cd5755d773822fa83a4cf1fda04f1441.
|
@ycombinator Oh yes, good point. I've done that. Hopefully not too verbose. |
DStape
pushed a commit
to DStape/beats
that referenced
this pull request
Aug 20, 2019
…astic#10139) Note that some of the recent module migrations have already started populating `event.created` instead of `read_timestamp`. This PR finishes this work all at once. - Replace `read_timestamp` with `event.created` in remaining Fb modules: - iis.error - kafka - kibana - nginx.access - osquery - redis - traefik.access - No longer excluding `read_timestamp` from integration test results, as it's no longer expected - Finish equivalent migration in Journalbeat by making `read_timestamp` into an alias - Adjust Kibana module's pipeline to use the correct semantics for `event.created`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note that some of the recent module migrations have already started populating
event.createdinstead ofread_timestamp. This PR does the remaining modules all at once.Modules/filesets affected:
Outside of these modules, the only occurrences I see of
read_timestampare the field definitions and test_modules.py.So this PR will alias
read_timestamptoevent.createdas well.I've taken the opportunity to put in place the alias for Journalbeat as well. Didn't look like it was being used there anymore.