Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Replace copy_from with templated value #26631

Merged
merged 4 commits into from
Jul 6, 2021

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jun 30, 2021

What does this PR do?

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of copy_from in set processors.

Why is it important?

This will make some modules work with earlier Elasticsearch versions.

Checklist

  • My code follows the style guidelines of this project
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors.

Relates elastic#26629
@andrewkroh andrewkroh added bug Filebeat Filebeat Team:Security-External Integrations backport-v7.13.0 Automated backport with mergify backport-v7.14.0 Automated backport with mergify labels Jun 30, 2021
@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jun 30, 2021
@andrewkroh
Copy link
Member Author

@adriansr I opened this to manually remove copy_from. Would you want to help me with this by pushing a change for the two you mention in #26593 (comment).

@andrewkroh
Copy link
Member Author

We should probably put a check in place to catch the introduction of copy_from in the future. I'm just not sure where that should go.

@elasticmachine
Copy link
Collaborator

elasticmachine commented Jun 30, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: andrewkroh commented: run tests

  • Start Time: 2021-07-06T03:13:20.310+0000

  • Duration: 92 min 7 sec

  • Commit: b1929b7

Test stats 🧪

Test Results
Failed 0
Passed 14209
Skipped 2312
Total 16521

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 14209
Skipped 2312
Total 16521

adriansr added 2 commits July 1, 2021 13:03
Replaces the usage of a set processor with copy_from (ES 7.13+)
with a painless script that performs the same operation and it's
backwards compatible.
This updates the ID-mapping script to set fields instead of constructing
and op-list that is latter processed with foreach/set.
@andrewkroh andrewkroh marked this pull request as ready for review July 1, 2021 15:14
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh
Copy link
Member Author

Thanks @adriansr. LGTM

CHANGELOG.next.asciidoc Outdated Show resolved Hide resolved
Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
@legoguy1000
Copy link
Contributor

legoguy1000 commented Jul 6, 2021

Instead of actually updating the pipelines themselves, why not add an additional function to automatically change the processor if connecting to an older version of ES? What was just merged in #26676

filebeat/fileset/compatibility.go

	{
		procType: "set",
		checkVersion: func(esVersion *common.Version) bool {
			return esVersion.LessThan(common.MustNewVersion("7.11.0"))
		},
		adaptConfig: replaceSetCopyFrom,
	},
// replaceSetIgnoreEmptyValue replaces ignore_empty_value option with an if
// statement so ES less than 7.11 will work.
func replaceSetCopyFrom(config map[string]interface{}, log *logp.Logger) compatAction {
	value_field, ok := config["copy_from"].(string)
	if !ok {
		return keepProcessor
	}

	log.Debug("Removing unsupported 'copy_from' from set processor.")
	delete(config, "copy_from")

	val, ok := config["value"].(string)
	if ok {
		delete(config, "value")
	}
        new_value := "{{{" + value_field + "}}}"
	log.Debug("Adding value %s to replace 'copy_from' in set processor.", new_value)
	config["value"] = new_value
	return keepProcessor
}

@andrewkroh
Copy link
Member Author

@legoguy1000 We considered that approach in #26593, but during review we identified some edge cases that we couldn't handle by automatic rewriting.

@andrewkroh
Copy link
Member Author

run tests

@legoguy1000
Copy link
Contributor

@legoguy1000 We considered that approach in #26593, but during review we identified some edge cases that we couldn't handle by automatic rewriting.

Does the templated value not work with objects?

@andrewkroh
Copy link
Member Author

It will run, but the behavior is not the same as with copy_from. You end up with a string instead of an object.

@andrewkroh andrewkroh merged commit a7b0110 into elastic:master Jul 6, 2021
mergify bot pushed a commit that referenced this pull request Jul 6, 2021
* Replace copy_from with templated value

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors.

Relates #26629

* panw: replace copy_from usage with script

Replaces the usage of a set processor with copy_from (ES 7.13+)
with a painless script that performs the same operation and it's
backwards compatible.

* cyberarkpas: Replace usage of copy_from with script

This updates the ID-mapping script to set fields instead of constructing
and op-list that is latter processed with foreach/set.

* Update CHANGELOG.next.asciidoc

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit a7b0110)

# Conflicts:
#	x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/abuseurl/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/anomali/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/anomalithreatstream/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/misp/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/otx/ingest/pipeline.yml
#	x-pack/filebeat/module/threatintel/recordedfuture/ingest/pipeline.yml
#	x-pack/filebeat/module/zoom/webhook/ingest/meeting.yml
mergify bot pushed a commit that referenced this pull request Jul 6, 2021
* Replace copy_from with templated value

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors.

Relates #26629

* panw: replace copy_from usage with script

Replaces the usage of a set processor with copy_from (ES 7.13+)
with a painless script that performs the same operation and it's
backwards compatible.

* cyberarkpas: Replace usage of copy_from with script

This updates the ID-mapping script to set fields instead of constructing
and op-list that is latter processed with foreach/set.

* Update CHANGELOG.next.asciidoc

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit a7b0110)
andrewkroh added a commit that referenced this pull request Jul 7, 2021
* Replace copy_from with templated value

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors.

Relates #26629

* panw: replace copy_from usage with script

Replaces the usage of a set processor with copy_from (ES 7.13+)
with a painless script that performs the same operation and it's
backwards compatible.

* cyberarkpas: Replace usage of copy_from with script

This updates the ID-mapping script to set fields instead of constructing
and op-list that is latter processed with foreach/set.

* Update CHANGELOG.next.asciidoc

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit a7b0110)

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
v1v added a commit to v1v/beats that referenced this pull request Jul 8, 2021
* upstream/master: (430 commits)
  CI: increase timeout (elastic#26764)
  Heartbeat: add datastream fields to synthetics (elastic#26774)
  Osquerybeat: Change the query timeout from 3 secs to 60 secs (elastic#26775)
  Remove experimental warning for inputs with variables. (elastic#26762)
  Add latest k8s versions in testing (elastic#26729)
  change type of max_bytes to ByteType (elastic#26699)
  [Elastic Agent] Fix broken enrollment command (elastic#26749)
  Update agent managed manifest to include enrolment token variable (elastic#26756)
  Filebeat: Ensure module pipelines compatibility with previous versions of Elasticsearch (elastic#26737)
  Forward port changelog for 7.13.3 (elastic#26731) to master (elastic#26754)
  Upgrade PyYAML dependency used for tests (elastic#26746)
  Add agent fleet enrolment k8s manifest (elastic#26566)
  CI: retry the step only (elastic#26736)
  Osquerybeat: Fix the configuration poll interval setting (elastic#26739)
  [Filebeat] Replace copy_from with templated value (elastic#26631)
  Reduce the verbosity of the debug log for monitoring (elastic#26583)
  Add instructions on testing metricbeat kubernetes module (elastic#26643)
  Revert "[CI] fight the flakiness with some retry option in the CI only for the Pull Requests (elastic#26617)" (elastic#26704)
  Packaging: linux/armv7 is not supported (elastic#26706)
  Cyberarkpas: Link to official docs on how to setup TLS (elastic#26614)
  ...
@andrewkroh
Copy link
Member Author

@Mergifyio backport 7.x

mergify bot pushed a commit that referenced this pull request Jul 19, 2021
* Replace copy_from with templated value

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors.

Relates #26629

* panw: replace copy_from usage with script

Replaces the usage of a set processor with copy_from (ES 7.13+)
with a painless script that performs the same operation and it's
backwards compatible.

* cyberarkpas: Replace usage of copy_from with script

This updates the ID-mapping script to set fields instead of constructing
and op-list that is latter processed with foreach/set.

* Update CHANGELOG.next.asciidoc

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit a7b0110)
@mergify
Copy link
Contributor

mergify bot commented Jul 19, 2021

Command backport 7.x: success

Backports have been created

andrewkroh added a commit that referenced this pull request Jul 20, 2021
* Replace copy_from with templated value

To ensure compatibility with Elasticsearch versions <7.13 this removes usage of `copy_from` in `set` processors.

Relates #26629

* panw: replace copy_from usage with script

Replaces the usage of a set processor with copy_from (ES 7.13+)
with a painless script that performs the same operation and it's
backwards compatible.

* cyberarkpas: Replace usage of copy_from with script

This updates the ID-mapping script to set fields instead of constructing
and op-list that is latter processed with foreach/set.

* Update CHANGELOG.next.asciidoc

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit a7b0110)

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v7.13.0 Automated backport with mergify backport-v7.14.0 Automated backport with mergify bug Filebeat Filebeat
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants