Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ingest Pipelines][Append Processor] Adding a "unique" argument #57543

Closed
P1llus opened this issue Jun 2, 2020 · 1 comment · Fixed by #61916
Closed

[Ingest Pipelines][Append Processor] Adding a "unique" argument #57543

P1llus opened this issue Jun 2, 2020 · 1 comment · Fixed by #61916
Labels
:Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP >enhancement Team:Data Management Meta label for data/management team

Comments

@P1llus
Copy link
Member

P1llus commented Jun 2, 2020

When appending values to specific fields there is currently a need to check if the related value already exists with if conditions.

It would be great to add support to check if the value already exists in the array and only append it if it does not.

In both Observability and Security usecases, we have the possibility to append related sources to make visualization easier. Fields like "related.user", "related.hash", "related.XYZ" is examples on that.

The issue comes down to certain cases where maybe the related user would be in multiple parts of the event.

POST /_ingest/pipeline/_simulate
{
  "pipeline": {
    "description": "_description",
    "processors": [
      {
        "append": {
          "field": "related.user",
          "value": "{{source.user}}"
        }
      },
      {
        "append": {
          "field": "related.user",
          "value": "{{client.user}}"
        }
      }
    ]
  },
  "docs": [
    {
      "_index": "index",
      "_id": "id",
      "_source": {
        "source": {
          "user": "testuser"
        },
        "client": {
          "user": "testuser"
        }
      }
    }
  ]
}

If we could add a "unique: true" argument to the append processor here, we could do something like:

{
  "append": {
    "field": "related.user",
    "value": "{{client.user}}",
    "unique": true
  }
}
@P1llus P1llus added >enhancement needs:triage Requires assignment of a team area label :Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP labels Jun 2, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-features (:Core/Features/Ingest)

@elasticmachine elasticmachine added the Team:Data Management Meta label for data/management team label Jun 2, 2020
@romseygeek romseygeek removed the needs:triage Requires assignment of a team area label label Jun 3, 2020
@danhermann danhermann mentioned this issue Sep 3, 2020
Merged
@danhermann danhermann mentioned this issue Oct 5, 2020
Merged
@Mpdreamz Mpdreamz mentioned this issue Nov 16, 2020
Closed
61 tasks
@stevejgordon stevejgordon mentioned this issue Dec 17, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
:Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP >enhancement Team:Data Management Meta label for data/management team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow_duplicates option for append processor danhermann/elasticsearch
3 participants
@romseygeek @P1llus @elasticmachine