Convert Filebeat kibana.log to ECS #9301
Conversation
webmat
added
in progress
|
Caveats:
|
webmat
force-pushed
the
ecs-kibana-fb
branch
from
e3cda26
to
b8325bb
Compare
webmat
added
review
and removed
in progress
webmat
changed the title
|
@ruflin Apart from one thing that I wonder about ( |
|
jenkins, test this |
webmat
force-pushed
the
ecs-kibana-fb
branch
from
b8325bb
to
ee72842
Compare
|
@webmat I'm good with keep kibana.logs.tags as I think these are tags specific to kibana. |
|
@ruflin This is correct. Some fields were present twice in the output format, under different names. Now they are present only once, in line with ECS, and all the old names are aliases to the ECS fields. |
|
@ruflin One more caveat I'd like your opinion on: |
|
@webmat Yes, for the array. It does not make a difference. Can explain an other time why it's like. After we done all the modules, will go through an rename service.name to service.type anyways. |
|
@ruflin Rebasing. Good to go, once tests are green? |
webmat
force-pushed
the
ecs-kibana-fb
branch
from
ee72842
to
eb880f3
Compare
|
@ruflin You had approved this before the holidays, I tweaked one small detail. Instead of renaming Can I get one last look, please? Thanks |
|
Ping @elastic/stack-monitoring for awareness. If this works for you as well, I'd like to merge on Tuesday at the latest. |
|
@ycombinator Hey could you have a quick look at this one as well, when you have a moment, please? Thanks! |
| "lang": "painless", | ||
| "source": "ctx.event.duration = Math.round(ctx.kibana.log.meta.res.responseTime * params.scale)", | ||
| "params": { "scale": 1000000 }, | ||
| "if": "ctx.kibana.log.containsKey('meta') && ctx.kibana.log.meta.containsKey('res') && ctx.kibana.log.meta.res.containsKey('responseTime')" |
There was a problem hiding this comment.
Nit: You could probably shorten this to something like: ctx.kibana.log.meta?.res?.responseTime != null.
There was a problem hiding this comment.
Oh man, Painless has that? Thanks for pointing out ❤️
There was a problem hiding this comment.
Yep, it was added at some point: https://www.elastic.co/guide/en/elasticsearch/painless/current/painless-operators-reference.html#null-safe-operator
There was a problem hiding this comment.
@ycombinator Do you know which version this was added? Asking for compatibility reasons.
There was a problem hiding this comment.
5.1.1: elastic/elasticsearch#21239
|
jenkins, test this |
- kibana.log.meta.req.headers.referer => http.request.referrer - kibana.log.meta.req.headers.user-agent => user_agent.original - kibana.log.meta.req.remoteAddress => source.ip - kibana.log.meta.req.url => url.original
- kibana.log.meta.req.referer - kibana.log.meta.statusCode - kibana.log.meta.method
|
Rebased and updated the pipeline to use the null-safe operators. Thanks @ycombinator for pointing those out, this will make my life much easier in places like this experimental PR: #9905 😆 Tests were green across the board. Will merge tomorrow AM if it's still the case. |
Caveats
One thing I think should be addressed by this PR:
kibana.log.tagstotags. However what's the best way to approach it?appendexpects a JSON array of values or field names, not a field name that contains an array (see doc example)kibana.field set.Actual caveats / disclaimers
http.response.elapsed_timewhich is not in ECS. Noted in [WIP] Filebeat module issues found during ECS conversion #9208http.response.content_lengthneeds to migrate after Update the HTTP field set with ECS definitions as of beta 2 #9645 (noted in WIP Filebeat modules adjustments for ECS Beta 2 #9684)filebeat/_meta/fields.common.ymldefineshttp.response.content_lengthwhich should become an alias tohttp.response.body.sizeafter Update the HTTP field set with ECS definitions as of beta 2 #9645 (may impact many modules). This has been added to the issue WIP Filebeat modules adjustments for ECS Beta 2 #9684.Not previously done by this module. I say we should not add this now, as it adds dependencies:
Renames
Duplicate fields
They have been removed, are aliased as well
TODO
-expected.jsonfile now only contains 1 event. I should contain 3.