Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Changes to text fields in elasticsearch module #10414

Merged
merged 7 commits into from
Jan 31, 2019
Merged

[Filebeat] Changes to text fields in elasticsearch module #10414

merged 7 commits into from
Jan 31, 2019

Conversation

ycombinator
Copy link
Contributor

@ycombinator ycombinator commented Jan 29, 2019
edited
Loading

This PR is an offshoot of conversations and decisions made in #10372 w.r.t text fields, but scoped to the elasticsearch module.

@ycombinator ycombinator requested review from a team as code owners January 29, 2019 19:02
@elasticmachine
Copy link
Collaborator

Pinging @elastic/stack-monitoring

@ycombinator ycombinator mentioned this pull request Jan 29, 2019
Closed
@ycombinator ycombinator changed the title WIP: [Filebeat] Changes to text fields in stack modules [Filebeat] Changes to text fields in elasticsearch module Jan 29, 2019
@ycombinator ycombinator added review and removed in progress Pull request is currently in progress. labels Jan 29, 2019
@ycombinator ycombinator requested review from webmat and ruflin January 29, 2019 19:29
@ycombinator
Copy link
Contributor Author

jenkins, test this

ruflin
ruflin reviewed Jan 30, 2019
View reviewed changes
Copy link
Contributor

@ruflin ruflin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog?

filebeat/module/elasticsearch/slowlog/ingest/pipeline.json Show resolved Hide resolved
filebeat/module/elasticsearch/slowlog/test/auditlog_index_indexing_slowlog.log-expected.json Outdated
@@ -9,7 +9,6 @@
"elasticsearch.slowlog.logger": "index.indexing.slowlog.index",
"elasticsearch.slowlog.routing": "",
"elasticsearch.slowlog.source_query": "{\"@timestamp\":\"2018-07-04T21:50:40.799Z\",\"metricset\":{\"module\":\"system\",\"rtt\":9610,\"name\":\"network\"},\"system\":{\"network\":{\"name\":\"bridg\",\"in\":{\"packets\":0,\"errors\":0,\"dropped\":0,\"bytes\":0},\"out\":{\"errors\":0,\"dropped\":0,\"packets\":1,\"bytes\":342}}},\"beat\":{\"name\":\"Rados-MacBook-Pro.local\",\"hostname\":\"Rados-MacBook-Pro.local\",\"version\":\"6.3.0\"},\"host\":{\"name\":\"Rados-MacBook-Pro.local\"}}",
"elasticsearch.slowlog.took": "221micros",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One thing I spot now: Below the message fields seems to contain everything including timestamp. Is that expected?

For the took. The plan is to extract the unit later or just remove it?

Copy link
Contributor Author

@ycombinator ycombinator Jan 30, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't follow your question about the message field?

For the took, I think we should just the unit as we already have the actual numeric value in ms, which seems more useful? BTW, this is something we're doing in the case of the elasticsearch/server fileset as well:

beats/filebeat/module/elasticsearch/server/ingest/pipeline.json

Line 52 in 9d8de3e

"elasticsearch.server.gc.collection_duration.unit",

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The point about message is that once the header has been parsed and moved to other fields, only the rest of the message should be left in message.

Right now, the message fields looks like an event.original, which is meant to contain the pristine initial copy of the event (if the user wants this).

For the took field, I would keep it until we're ready to interpret it, no? Right now event.duration is based on the took_millis (removed by the pipeline), for simplicity, which is often rounded to 0ms. Elasticsearch is too fast. But I think it's worth keeping the custom field with the more precise timing until we can leverage it better (or until the ES log format gives us nanoseconds).

webmat
webmat suggested changes Jan 30, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm good with the text field changes.

However I'd keep the took custom field.

@ycombinator
Copy link
Contributor Author

Alrighty, brought back the took field, this time as a keyword. @webmat @ruflin this is ready for another round of review, when you get a chance. Thanks!

webmat
webmat approved these changes Jan 30, 2019
View reviewed changes
Copy link
Contributor

@webmat webmat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM

You just need to update fields.go accordingly :-)

@ycombinator
Copy link
Contributor Author

jenkins, test this

@ycombinator
Copy link
Contributor Author

jenkins, test this

@ycombinator ycombinator merged commit 33b789c into elastic:master Jan 31, 2019
@ycombinator ycombinator deleted the fb-ecs-text-fields branch January 31, 2019 05:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruflin ruflin ruflin left review comments

@cachedout cachedout cachedout approved these changes

@webmat webmat webmat approved these changes

Assignees
No one assigned
Labels
ecs Feature:Stack Monitoring Filebeat Filebeat module review v7.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ycombinator @elasticmachine @webmat @cachedout @ruflin