Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[filebeat/netflow]: set event normalisation to true #38780

Conversation

pkoutsovasilis
Copy link
Contributor

@pkoutsovasilis pkoutsovasilis commented Apr 9, 2024

Proposed commit message

This PR enables event normalisation for netflow input and solves this this issue. Specifically the netflow input in 8.13 had a refactor to transition to plugin.V2 and during this it was deemed as safe to disable event normalisation and thus improve the performance. However the produced events contain ip fields that cause similar errors to this following without normalisation enabled

Apr 02 13:57:11 tv filebeat[597]: {"log.level":"warn","@timestamp":"2024-04-02T13:57:11.590Z","log.logger":"elasticsearch","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/outputs/elasticsearch.(*Client).bulkCollectPublishFails","file.name":"elasticsearch/client.go","file.line":454},"message":"Cannot index event (status=400): dropping event! Enable debug logs to view the event and cause.","service.name":"filebeat","ecs.version":"1.6.0"}

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

N/A

How to test this PR locally

Follow the steps in the issue #38703

Related issues

Use cases

Screenshots

N/A

Logs

N/A

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 9, 2024
Copy link
Contributor

mergify bot commented Apr 9, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @pkoutsovasilis? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

Copy link
Contributor

mergify bot commented Apr 9, 2024

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b pkoutsovasilis/fix_netflow_event_normalisation upstream/pkoutsovasilis/fix_netflow_event_normalisation
git merge upstream/main
git push upstream pkoutsovasilis/fix_netflow_event_normalisation

@pkoutsovasilis pkoutsovasilis added bug Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution backport-v8.13.0 Automated backport with mergify labels Apr 9, 2024
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 9, 2024
@pkoutsovasilis pkoutsovasilis force-pushed the pkoutsovasilis/fix_netflow_event_normalisation branch from db5cd03 to a3d70d5 Compare April 9, 2024 08:56
@pkoutsovasilis pkoutsovasilis marked this pull request as ready for review April 9, 2024 08:56
@pkoutsovasilis pkoutsovasilis requested a review from a team as a code owner April 9, 2024 08:56
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 9, 2024

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Duration: 134 min 3 sec

❕ Flaky test report

No test was executed to be analysed.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@pkoutsovasilis pkoutsovasilis merged commit 2f5ee74 into elastic:main Apr 10, 2024
62 of 63 checks passed
@pkoutsovasilis pkoutsovasilis deleted the pkoutsovasilis/fix_netflow_event_normalisation branch April 10, 2024 06:14
mergify bot pushed a commit that referenced this pull request Apr 10, 2024
* fix(input/netflow): revert event normalisation to true for netflow input

* doc: update CHANGELOG.next.asciidoc

* fix: update fields.asciidoc (unrelated to this work)

* doc: remove irrelevant comment

(cherry picked from commit 2f5ee74)
pkoutsovasilis added a commit that referenced this pull request Apr 10, 2024
…o true (#38802)

* [filebeat/netflow]: set event normalisation to true (#38780)

* fix(input/netflow): revert event normalisation to true for netflow input

* doc: update CHANGELOG.next.asciidoc

* fix: update fields.asciidoc (unrelated to this work)

* doc: remove irrelevant comment

(cherry picked from commit 2f5ee74)

* doc: remove irrelevant changes from CHANGELOG.next.asciidoc

---------

Co-authored-by: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v8.13.0 Automated backport with mergify bug Team:Security-Deployment and Devices Deployment and Devices Team in Security Solution
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants