Convert Filebeat kafka.* to ECS #9297

webmat · 2018-11-29T19:26:34Z

Caveats

Module used to keep original message in message, and cleaned up message
in kafka.log.message. Keeping original message will be addressed elsewhere,
and this PR now replaces message with the cleaned up message.

Renames

kafka.log.level => log.level
kafka.log.message => message

TODO

Alias renamed fields to their ECS counterpart
Document field migrations in ecs-migration.yml
Changelog
Final rebase

Noticed

This module doesn't have a sample log that populates kafka.log.trace.full

ruflin · 2018-12-20T13:14:17Z

filebeat/module/kafka/log/ingest/pipeline.json

@@ -6,18 +6,18 @@
        "field": "message",
        "trace_match": true,
        "patterns": [
-          "(?m)%{TIMESTAMP_ISO8601:kafka.log.timestamp}. %{LOGLEVEL:kafka.log.level} +%{JAVALOGMESSAGE:kafka.log.message} \\(%{JAVACLASS:kafka.log.class}\\)$[ \\n]*(?'kafka.log.trace.full'.*)"
+          "(?m)%{TIMESTAMP_ISO8601:kafka.log.timestamp}. %{LOGLEVEL:log.level} +%{JAVALOGMESSAGE:message} \\(%{JAVACLASS:kafka.log.class}\\)$[ \\n]*(?'kafka.log.trace.full'.*)"


Sounds like one day we should have something related to Java class.

@felixbarny Is there a standardised way Java APM agent is storing this info?

ruflin · 2018-12-20T13:15:35Z

filebeat/module/kafka/log/test/state-change-1.1.0.log-expected.json

@@ -6,9 +6,8 @@
        "input.type": "log", 
        "kafka.log.class": "state.change.logger", 
        "kafka.log.component": "Broker id=30", 
-        "kafka.log.level": "TRACE", 
-        "kafka.log.message": "Cached leader info PartitionState(controllerEpoch=25, leader=-1, leaderEpoch=15, isr=[10], zkVersion=15, replicas=[10], offlineReplicas=[10]) for partition __consumer_offsets-16 in response to UpdateMetadata request sent by controller 20 epoch 25 with correlation id 8", 
+        "log.level": "TRACE", 


Looks like a log level we haven't really used yet. No change needed.

- kafka.log.level => log.level - kafka.log.message => message

The pipeline ends with remove `remove field kafka.log.timestamp`.

ruflin mentioned this pull request Nov 29, 2018

Transition Beats to ECS #8655

Closed

webmat self-assigned this Nov 29, 2018

webmat added in progress Pull request is currently in progress. module Filebeat Filebeat ecs labels Nov 29, 2018

webmat mentioned this pull request Dec 17, 2018

Fix recently translated Filebeat modules where integer coercions were added #9598

Closed

14 tasks

webmat force-pushed the ecs-kafka-fb branch 2 times, most recently from cafba24 to f30da0d Compare December 19, 2018 18:29

webmat requested a review from a team as a code owner December 19, 2018 18:29

webmat added the review label Dec 19, 2018

webmat changed the title ~~WIP Convert Filebeat kafka.* to ECS~~ Convert Filebeat kafka.* to ECS Dec 19, 2018

webmat removed the in progress Pull request is currently in progress. label Dec 19, 2018

webmat force-pushed the ecs-kafka-fb branch from f30da0d to 238d685 Compare December 19, 2018 21:40

ruflin reviewed Dec 20, 2018

View reviewed changes

ruflin approved these changes Dec 20, 2018

View reviewed changes

webmat force-pushed the ecs-kafka-fb branch 2 times, most recently from baf3209 to 0b77277 Compare December 20, 2018 16:12

Mathieu Martin added 4 commits December 20, 2018 14:26

Map 2 fields to ECS:

df67448

- kafka.log.level => log.level - kafka.log.message => message

Document kafka module file migrations in ecs-migration

e8dc178

Alias two Kafka fields. Remove unused field definition.

7a4383b

The pipeline ends with remove `remove field kafka.log.timestamp`.

Changelog

64316a1

webmat force-pushed the ecs-kafka-fb branch from 0b77277 to 64316a1 Compare December 20, 2018 19:28

webmat merged commit c053a32 into elastic:master Dec 20, 2018

webmat deleted the ecs-kafka-fb branch December 20, 2018 19:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Convert Filebeat kafka.* to ECS #9297

Convert Filebeat kafka.* to ECS #9297

webmat commented Nov 29, 2018 •

edited

Loading

ruflin Dec 20, 2018

ruflin Dec 20, 2018

Convert Filebeat kafka.* to ECS #9297

Convert Filebeat kafka.* to ECS #9297

Conversation

webmat commented Nov 29, 2018 • edited Loading

ruflin Dec 20, 2018

Choose a reason for hiding this comment

ruflin Dec 20, 2018

Choose a reason for hiding this comment

webmat commented Nov 29, 2018 •

edited

Loading