Make fields.yml part of the binary #4834
Conversation
ruflin
added
discuss
|
I think we need to move into the direction where we no longer concatenate all the module's Note sure if this is conflicting or is just orthogonal with this PR, but I wanted us to keep that in mind during the discussion. |
|
I like the idea of having the "partial" fields.yml locally. The main thing that I see as a blocker to load partial mappings is that with ES 6.0 inheritance of templates was removed. This means if someone starts with the mysql module and then adds the redis module one large template with a new index would have to be used. One way out of this would be to have one index per module. |
ruflin
force-pushed
the
add-fields-to-package
branch
from
6d253db to
c1608d7
Compare
ruflin
force-pushed
the
add-fields-to-package
branch
2 times, most recently
from
cdb2f60 to
9d391cb
Compare
|
@andrewkroh go-bindata causes an issue here as it does not generate with which goimports is happy. I remember you had your own implementation of loading file data. Can you point me to it again? |
|
It's over in elastic/go-libaudit. |
ruflin
force-pushed
the
add-fields-to-package
branch
from
c99b111 to
2c4978f
Compare
|
@andrewkroh Thanks. I took your implementation and modified it a bit to be used here. |
ruflin
added
libbeat
review
and removed
discuss
|
@ruflin There's a probably related test failure here: https://travis-ci.org/elastic/beats/jobs/285439037#L1872 |
|
I was thinking of removing |
ruflin
force-pushed
the
add-fields-to-package
branch
from
2c4978f to
bdc0d8b
Compare
|
@tsg Have a look again, tests should be fixed. Travis failure is related to elastic/logstash#8456 |
filebeat/include/fields.go
Outdated
| ) | ||
|
|
||
| func init() { | ||
| if err := assets.AddFields("fields.yml", Asset); err != nil { |
There was a problem hiding this comment.
If two Beats were combined into the same process would this still work?
There was a problem hiding this comment.
The AddFields would work as currently the name is not used at all internally. What would cause problems is that the fields from libbeat would be duplicated. For now I kept the fields.yml exactly as it is and a 1-1 copy is added to each file. For some long terms ideas like splitting up for libbeat or modules, see PR description.
There was a problem hiding this comment.
I was thinking that you would want the fields from each Beat to be stored independently such that each template (from asset.GetFields) contains only the fields for that Beat. But maybe that is moot if all beats in one process share a single output (not sure how that would work).
There was a problem hiding this comment.
It's definitively a valid point but I would ignore it for now.
libbeat/cmd/instance/beat.go
Outdated
| @@ -147,6 +148,7 @@ func NewBeat(name, indexPrefix, v string) (*Beat, error) { | |||
| Hostname: hostname, | |||
| UUID: uuid.NewV4(), | |||
| }, | |||
| Fields: assets.GetFields(), | |||
There was a problem hiding this comment.
Maybe the beat name could be a param? (thinking of two beats in the same process)
There was a problem hiding this comment.
Are you thinking it cause some issues with the collectbeat from @vjsamuel ? Did not think about that TBH.
| @@ -237,7 +237,7 @@ func TestOverwrite(t *testing.T) { | |||
| Enabled: true, | |||
| Fields: absPath + "/fields.yml", | |||
| }) | |||
| loader, err := NewLoader(config, client, beatInfo) | |||
| loader, err := NewLoader(config, client, beatInfo, []byte{}) | |||
There was a problem hiding this comment.
Can you pass nil instead of allocating an empty slice?
libbeat/template/template.go
Outdated
| func load(cfg *ucfg.Config) (common.Fields, error) { | ||
| keys := []common.Field{} | ||
|
|
||
| cfg.Unpack(&keys) |
libbeat/template/template.go
Outdated
| } | ||
|
|
||
| func load(cfg *ucfg.Config) (common.Fields, error) { | ||
| keys := []common.Field{} |
There was a problem hiding this comment.
If you use var keys common.Field will Unpack allocate this for you?
There was a problem hiding this comment.
tested and seems to work.
|
Just a few notes from discussion: You could auto-detect if You might want to compress the fields.yml data internally and then extract it on first use. |
ruflin
added
in progress
ruflin
force-pushed
the
add-fields-to-package
branch
from
b75405c to
e8de18d
Compare
ruflin
force-pushed
the
add-fields-to-package
branch
from
e8de18d to
11b63a2
Compare
winlogbeat/include/fields.go
Outdated
| } | ||
| } | ||
|
|
||
| func Asset() ([]byte, error) { |
There was a problem hiding this comment.
exported function Asset should have comment or be unexported
packetbeat/include/fields.go
Outdated
| } | ||
| } | ||
|
|
||
| func Asset() ([]byte, error) { |
There was a problem hiding this comment.
exported function Asset should have comment or be unexported
libbeat/template/template.go
Outdated
| return output, nil | ||
| } | ||
|
|
||
| // Load the given input and generates the input based on it |
There was a problem hiding this comment.
comment on exported method Template.LoadBytes should be of the form "LoadBytes ..."
libbeat/template/load.go
Outdated
| } | ||
|
|
||
| func NewLoader(cfg *common.Config, client ESClient, beatInfo beat.Info) (*Loader, error) { | ||
| func NewLoader(cfg *common.Config, client ESClient, beatInfo beat.Info, fields []byte) (*Loader, error) { |
There was a problem hiding this comment.
exported function NewLoader should have comment or be unexported
libbeat/assets/registry.go
Outdated
| return nil | ||
| } | ||
|
|
||
| func GetFields() []byte { |
There was a problem hiding this comment.
exported function GetFields should have comment or be unexported
libbeat/assets/registry.go
Outdated
|
|
||
| var FieldsRegistry [][]byte | ||
|
|
||
| func AddFields(name string, asset func() ([]byte, error)) error { |
There was a problem hiding this comment.
exported function AddFields should have comment or be unexported
libbeat/assets/registry.go
Outdated
| @@ -0,0 +1,23 @@ | |||
| package assets | |||
|
|
|||
| var FieldsRegistry [][]byte | |||
There was a problem hiding this comment.
exported var FieldsRegistry should have comment or be unexported
heartbeat/include/fields.go
Outdated
| } | ||
| } | ||
|
|
||
| func Asset() ([]byte, error) { |
There was a problem hiding this comment.
exported function Asset should have comment or be unexported
filebeat/include/fields.go
Outdated
| } | ||
| } | ||
|
|
||
| func Asset() ([]byte, error) { |
There was a problem hiding this comment.
exported function Asset should have comment or be unexported
auditbeat/include/fields.go
Outdated
| } | ||
| } | ||
|
|
||
| func Asset() ([]byte, error) { |
There was a problem hiding this comment.
exported function Asset should have comment or be unexported
|
This PR is ready for an other round of reviews. |
ruflin
force-pushed
the
add-fields-to-package
branch
4 times, most recently
from
4f7db2d to
cd27521
Compare
|
jenkins, test this |
ruflin
force-pushed
the
add-fields-to-package
branch
5 times, most recently
from
f18e304 to
7c80fe0
Compare
|
One temporary issue of this change is that it will increase the PR conflicts every time fields are changed. But as soon as each module loads the fields locally, this should disappear again. |
Currently the fields.yml file is shipped as its own file and has to be place in the right directory to be used. As fields have become a central part of beats I suggest to make them part of the binary which will allow us to also split up the fields.yml inside the binary into multiple part (for example one per module) and use it for testing like fields checks. The behavior from the user perspective is as following: * By default internal `fields.yml` data is used * If `fields.yml` path is set in the config file, it is loaded from disk The golang files are generated when running `make update`. The content of fields.yml is stored as a compressed string. Each asset is currently prefixed by the Beat name. The current fields registry is a basic implementation that likely needs to be extended when we add fields per module or processors.
ruflin
force-pushed
the
add-fields-to-package
branch
from
7c80fe0 to
0861acf
Compare
|
|
||
| var tpl = template.Must(template.New("normalizations").Parse(` | ||
| // ${ES_BEATS}/dev-tools/cmd/asset/asset.go | ||
| // MACHINE GENERATED BY THE ABOVE COMMAND; DO NOT EDIT |
There was a problem hiding this comment.
This should be changed to Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. Or something that matches this pattern golang/go#13560 (comment). Then tools like IntelliJ and golint will recognize it as being generated.
| @@ -4,6 +4,7 @@ import ( | |||
| "os" | |||
|
|
|||
| "{beat_path}/cmd" | |||
| _ "{beat_path}/include" | |||
There was a problem hiding this comment.
I think that unused imports should be separated into their own group and have a comment explaining it's existence. Similar to the golint warning, but golint exempts main packages.
|
@andrewkroh Will do a follow up PR with your requested changes. |
Follow up from review comments in elastic#4834
Follow up from review comments in #4834
Make fields.yml part of the binary Currently the fields.yml file is shipped as its own file and has to be place in the right directory to be used. As fields have become a central part of beats I suggest to make them part of the binary which will allow us to also split up the fields.yml inside the binary into multiple part (for example one per module) and use it for testing like fields checks.
Follow up from review comments in elastic#4834
Make fields.yml part of the binary Currently the fields.yml file is shipped as its own file and has to be place in the right directory to be used. As fields have become a central part of beats I suggest to make them part of the binary which will allow us to also split up the fields.yml inside the binary into multiple part (for example one per module) and use it for testing like fields checks.
Follow up from review comments in elastic#4834
Currently the fields.yml file is shipped as its own file and has to be place in the right directory to be used. As fields have become a central part of beats I suggest to make them part of the binary which will allow us to also split up the fields.yml inside the binary into multiple part (for example one per module) and use it for testing like fields checks.
The behavior from the user perspective is as following:
fields.ymldata is usedfields.ymlpath is set in the config file, it is loaded from diskThe golang files are generated when running
make update. The content of fields.yml is stored as a compressed string.Each asset is currently prefixed by the Beat name. The current fields registry is a basic implementation that likely needs to be extended when we add fields per module or processors.