Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inconsistent value of event.dataset in ES deprecation logs #83251

Closed
pgomulka opened this issue Jan 28, 2022 · 4 comments · Fixed by #83254 or #117933
Closed

Inconsistent value of event.dataset in ES deprecation logs #83251

pgomulka opened this issue Jan 28, 2022 · 4 comments · Fixed by #83254 or #117933
Labels
>breaking >bug :Core/Infra/Logging Log management and logging utilities Team:Core/Infra Meta label for core/infra team v8.0.0 v9.0.0

Comments

@pgomulka
Copy link
Contributor

pgomulka commented Jan 28, 2022

Elasticsearch Version

8.0

Installed Plugins

No response

Java Version

bundled

OS Version

macos

Problem Description

event.dataset values in ES logs are elasticsearch.server, elasticsearch.index_search_slowlog, elasticsearch.index_indexing_slowlog
but for deprecation logs it is deprecation.elasticsearch

This probably originates from 7.x where the deprecation log had deprecation.elasticsearch type field, but other logs had simply server, index_search_slowlog and index_indexing_slowlog

Steps to Reproduce

generate deprecation logs.
A sample:

{
  "@timestamp": "2022-01-27T11:48:45.809Z",
  "log.level": "CRITICAL",
  "data_stream.dataset": "deprecation.elasticsearch",
  "data_stream.namespace": "default",
  "data_stream.type": "logs",
  "elasticsearch.elastic_product_origin": "",
  "elasticsearch.event.category": "compatible_api",
  "elasticsearch.http.request.x_opaque_id": "v7app",
  "event.code": "create_index_with_types",
  "message": "[types removal] Using include_type_name in create index requests is deprecated. The parameter will be removed in the next major version.",
  "ecs.version": "1.2.0",
  "service.name": "ES_ECS",
  "event.dataset": "deprecation.elasticsearch",
  "process.thread.name": "elasticsearch[runTask-0][transport_worker][T#8]",
  "log.logger": "org.elasticsearch.deprecation.rest.action.admin.indices.RestCreateIndexAction",
  "trace.id": "0af7651916cd43dd8448eb211c80319c",
  "elasticsearch.cluster.uuid": "5alW33KLT16Lp1SevDqDSQ",
  "elasticsearch.node.id": "tVLnAGLgQum5ca6z50aqbw",
  "elasticsearch.node.name": "runTask-0",
  "elasticsearch.cluster.name": "runTask"
}

beats processor that is overriding this already
https://github.com/elastic/beats/pull/30018/files#r794578451

original dicussion on the PR that introduced the change
#68737

we should also discuss datastream.dataset field. datastream.dataset is only set in deprecation logs

@pgomulka pgomulka added >bug needs:triage Requires assignment of a team area label :Core/Infra/Logging Log management and logging utilities labels Jan 28, 2022
@elasticmachine elasticmachine added the Team:Core/Infra Meta label for core/infra team label Jan 28, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (Team:Core/Infra)

@pgomulka pgomulka added v8.0.0 v8.1.0 and removed Team:Core/Infra Meta label for core/infra team needs:triage Requires assignment of a team area label labels Jan 28, 2022
pgomulka added a commit to pgomulka/elasticsearch that referenced this issue Jan 28, 2022
The dataset value for all ES logs are prefixed with elasticsearch + log
type. Like elasticsearch.server. Deprecation log had it reverted
`deprecation.elasticsearch`
This commit renames the dataset for deprecation logs to
`elasticsearch.deprecation.

closes elastic#83251
@mark-vieira mark-vieira added v8.2.0 and removed v8.1.0 labels Feb 2, 2022
pgomulka added a commit that referenced this issue Jun 14, 2022
The dataset value for all ES logs are prefixed with elasticsearch + log
type. Like elasticsearch.server. Deprecation log had it reverted
deprecation.elasticsearch
This commit renames the dataset for deprecation logs to
`elasticsearch.deprecation.

closes #83251
@pgomulka pgomulka reopened this Jun 20, 2022
pgomulka added a commit that referenced this issue Jun 20, 2022
@pgomulka
Copy link
Contributor Author

pgomulka commented Jun 21, 2022

I spoke with @qhoxie and we agreed that the >bug label has to be discussed before we continue with this change as it might be breaking.
I was hoping to change both event.dataset and data_stream.dataset to elasticsearch.deprecation.

We index deprecation to datastream by default and the datastream name is .logs-deprecation-elasticsearch.default which follow the pattern:

{type}-{dataset}-{namespace},
type = .logs
dataset = deprecation.{product} (e.g. `elasticsearch`)
namespace = default

@ruflin you did mention here that

The data_stream.dataset value in the document must always match the {dataset} part of the data stream,

  1. would changing data_stream.dataset be breaking the convention you mentioned?
  2. would changing event.dataset be a problem? We already have an override in filebeat for this field https://github.com/elastic/beats/pull/30018/files#r794578451

cc @pugnascotia

@ruflin
Copy link
Contributor

ruflin commented Jun 21, 2022

  1. I assume you would also change the target data stream which becomes logs-elasticsearch.deprecation-default? So you MUST change the data_stream.dataset field.
  2. You can look at this in 2 ways. For the Beats data collection, I don't think it is a problem as the outcome is identical. Lets assume you use another tool for data collection, now you would suddenly have a different value which is not great. At the same time not sure if this is common use case we need to cater for.

@pgomulka
Copy link
Contributor Author

pgomulka commented Jun 22, 2022

I also confirmed with Kibana team and they do not use dataset = deprecation.{product} pattern
In fact they use event.dataset : kibana.log which is similar to what this issue is trying to do. There is no separate deprecation log in kibana.
https://github.com/elastic/beats/blob/main/filebeat/module/kibana/log/test/log.830.log-expected.json#L4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
>breaking >bug :Core/Infra/Logging Log management and logging utilities Team:Core/Infra Meta label for core/infra team v8.0.0 v9.0.0
Projects
None yet