[Automatic Import] Better recognize (ND)JSON formats and send samplesFormat to the backend #190588
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ilyannn
added
Team:Security-Scalability
ilyannn
changed the title
…a into auto-import/json-or-ndjson
|
Pinging @elastic/security-scalability (Team:Security-Scalability) |
ilyannn
added
the
release_note:skip
P1llus
reviewed
Aug 19, 2024
x-pack/plugins/integration_assistant/server/integration_builder/data_stream.ts
Outdated
Show resolved
Hide resolved
bhapas
reviewed
Aug 19, 2024
x-pack/plugins/integration_assistant/common/api/model/common_attributes.schema.yaml
Outdated
Show resolved
Hide resolved
x-pack/plugins/integration_assistant/common/api/model/common_attributes.ts
Outdated
Show resolved
Hide resolved
...e_integration/create_integration_assistant/steps/data_stream_step/sample_logs_input.test.tsx
Show resolved
Hide resolved
…a into auto-import/json-or-ndjson
bhapas
reviewed
Aug 20, 2024
x-pack/plugins/integration_assistant/common/api/model/common_attributes.ts
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
ilyannn
commented
Aug 20, 2024
...create_integration/create_integration_assistant/steps/data_stream_step/sample_logs_input.tsx
Show resolved
Hide resolved
x-pack/plugins/integration_assistant/server/integration_builder/data_stream.ts
Outdated
Show resolved
Hide resolved
ilyannn
commented
Aug 20, 2024
...n_assistant/public/components/create_integration/create_integration_assistant/mocks/state.ts
Show resolved
Hide resolved
ilyannn
changed the title
ilyannn
added
release_note:enhancement
and removed
release_note:skip
ilyannn
changed the title
bhapas
reviewed
Aug 21, 2024
x-pack/plugins/integration_assistant/common/api/model/common_attributes.ts
Outdated
Show resolved
Hide resolved
...n_assistant/public/components/create_integration/create_integration_assistant/mocks/state.ts
Show resolved
Hide resolved
.../create_integration/create_integration_assistant/steps/deploy_step/use_deploy_integration.ts
Show resolved
Hide resolved
x-pack/plugins/integration_assistant/server/integration_builder/data_stream.ts
Outdated
Show resolved
Hide resolved
haetamoudi
reviewed
Aug 21, 2024
...e_integration/create_integration_assistant/steps/data_stream_step/sample_logs_input.test.tsx
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Public APIs missing comments
Async chunks
History
To update your PR or re-run it, just comment with: cc @ilyannn |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 22, 2024
…Format to the backend (elastic#190588) ## Summary This adds a `samplesFormat` group to the API. This group is filled out by the frontend when parsing the provided samples and used to set the log parsing specification for the produced integration. We check this parameter to add toggle to support multiline newline-delimited JSON in the filestream input. ## Release note Automatic Import now supports the 'multiline newline-delimited JSON' log sample format for the Filestream input. ## Detailed Explanation We add the optional `samplesFormat` group to the API, consisting of - `name`, - (optional) `multiline`, - and (optional) `json_path`. Example values of this parameter: - `{ name: 'ndjson', multiline: false }` for a newline-delimited JSON, known as [NDJSON](https://github.com/ndjson/ndjson-spec) (where each entry only takes one line) - `{ name: 'ndjson', multiline: true }` for newline-delimited JSON where each entry can span multiline lines - `{ name: 'json', json_path: [] }` for valid JSON with the structure `[{"key": "message1"}, {"key": "message2"}]` - `{ name: 'json', json_path: ['events'] }` for valid JSON with the structure `{"events": [{"key": "message1"}, {"key": "message2"}]}` The `json_path` parameter is only relevant for `name: 'json'` and refers to the path in the original JSON to the array representing the events to ingest. Currently only one level is recognized: Not all combinations of a log format with input type will work; more supported combinations as well as better user feedback on unsupported combinations will come later (see elastic/security-team#10290). In this PR we add support for the multiline NDJSON format for the `fileinput` input type. This support comes in the form of the user-changeable toggle under "Advanced Settings" that will be set to on in cases where we multiline NDJSON format --------- Co-authored-by: Marius Iversen <marius.iversen@elastic.co> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 2a8b6d0)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Aug 22, 2024
…samplesFormat to the backend (#190588) (#191040) # Backport This will backport the following commits from `main` to `8.15`: - [[Automatic Import] Better recognize (ND)JSON formats and send samplesFormat to the backend (#190588)](#190588) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ilya Nikokoshev","email":"ilya.nikokoshev@elastic.co"},"sourceCommit":{"committedDate":"2024-08-22T01:25:12Z","message":"[Automatic Import] Better recognize (ND)JSON formats and send samplesFormat to the backend (#190588)\n\n## Summary\r\n\r\nThis adds a `samplesFormat` group to the API. This group is filled out\r\nby the frontend when parsing the provided samples and used to set the\r\nlog parsing specification for the produced integration.\r\n\r\nWe check this parameter to add toggle to support multiline\r\nnewline-delimited JSON in the filestream input.\r\n\r\n## Release note\r\n\r\nAutomatic Import now supports the 'multiline newline-delimited JSON' log\r\nsample format for the Filestream input.\r\n\r\n## Detailed Explanation\r\n\r\nWe add the optional `samplesFormat` group to the API, consisting of \r\n - `name`, \r\n - (optional) `multiline`, \r\n - and (optional) `json_path`.\r\n\r\nExample values of this parameter:\r\n\r\n- `{ name: 'ndjson', multiline: false }` for a newline-delimited JSON,\r\nknown as [NDJSON](https://github.com/ndjson/ndjson-spec) (where each\r\nentry only takes one line)\r\n- `{ name: 'ndjson', multiline: true }` for newline-delimited JSON where\r\neach entry can span multiline lines\r\n- `{ name: 'json', json_path: [] }` for valid JSON with the structure\r\n`[{\"key\": \"message1\"}, {\"key\": \"message2\"}]`\r\n- `{ name: 'json', json_path: ['events'] }` for valid JSON with the\r\nstructure `{\"events\": [{\"key\": \"message1\"}, {\"key\": \"message2\"}]}`\r\n\r\nThe `json_path` parameter is only relevant for `name: 'json'` and refers\r\nto the path in the original JSON to the array representing the events to\r\ningest. Currently only one level is recognized:\r\n\r\nNot all combinations of a log format with input type will work; more\r\nsupported combinations as well as better user feedback on unsupported\r\ncombinations will come later (see\r\nhttps://github.com/elastic/security-team/issues/10290).\r\n\r\nIn this PR we add support for the multiline NDJSON format for the\r\n`fileinput` input type. This support comes in the form of the\r\nuser-changeable toggle under \"Advanced Settings\" that will be set to on\r\nin cases where we multiline NDJSON format\r\n\r\n---------\r\n\r\nCo-authored-by: Marius Iversen <marius.iversen@elastic.co>\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"2a8b6d0a4490fbf09ccd3d03ab1b3a1fcfa9ec1c","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","backport:prev-minor","v8.16.0","Team:Security-Scalability"],"title":"[Automatic Import] Better recognize (ND)JSON formats and send samplesFormat to the backend","number":190588,"url":"https://github.com/elastic/kibana/pull/190588","mergeCommit":{"message":"[Automatic Import] Better recognize (ND)JSON formats and send samplesFormat to the backend (#190588)\n\n## Summary\r\n\r\nThis adds a `samplesFormat` group to the API. This group is filled out\r\nby the frontend when parsing the provided samples and used to set the\r\nlog parsing specification for the produced integration.\r\n\r\nWe check this parameter to add toggle to support multiline\r\nnewline-delimited JSON in the filestream input.\r\n\r\n## Release note\r\n\r\nAutomatic Import now supports the 'multiline newline-delimited JSON' log\r\nsample format for the Filestream input.\r\n\r\n## Detailed Explanation\r\n\r\nWe add the optional `samplesFormat` group to the API, consisting of \r\n - `name`, \r\n - (optional) `multiline`, \r\n - and (optional) `json_path`.\r\n\r\nExample values of this parameter:\r\n\r\n- `{ name: 'ndjson', multiline: false }` for a newline-delimited JSON,\r\nknown as [NDJSON](https://github.com/ndjson/ndjson-spec) (where each\r\nentry only takes one line)\r\n- `{ name: 'ndjson', multiline: true }` for newline-delimited JSON where\r\neach entry can span multiline lines\r\n- `{ name: 'json', json_path: [] }` for valid JSON with the structure\r\n`[{\"key\": \"message1\"}, {\"key\": \"message2\"}]`\r\n- `{ name: 'json', json_path: ['events'] }` for valid JSON with the\r\nstructure `{\"events\": [{\"key\": \"message1\"}, {\"key\": \"message2\"}]}`\r\n\r\nThe `json_path` parameter is only relevant for `name: 'json'` and refers\r\nto the path in the original JSON to the array representing the events to\r\ningest. Currently only one level is recognized:\r\n\r\nNot all combinations of a log format with input type will work; more\r\nsupported combinations as well as better user feedback on unsupported\r\ncombinations will come later (see\r\nhttps://github.com/elastic/security-team/issues/10290).\r\n\r\nIn this PR we add support for the multiline NDJSON format for the\r\n`fileinput` input type. This support comes in the form of the\r\nuser-changeable toggle under \"Advanced Settings\" that will be set to on\r\nin cases where we multiline NDJSON format\r\n\r\n---------\r\n\r\nCo-authored-by: Marius Iversen <marius.iversen@elastic.co>\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"2a8b6d0a4490fbf09ccd3d03ab1b3a1fcfa9ec1c"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/190588","number":190588,"mergeCommit":{"message":"[Automatic Import] Better recognize (ND)JSON formats and send samplesFormat to the backend (#190588)\n\n## Summary\r\n\r\nThis adds a `samplesFormat` group to the API. This group is filled out\r\nby the frontend when parsing the provided samples and used to set the\r\nlog parsing specification for the produced integration.\r\n\r\nWe check this parameter to add toggle to support multiline\r\nnewline-delimited JSON in the filestream input.\r\n\r\n## Release note\r\n\r\nAutomatic Import now supports the 'multiline newline-delimited JSON' log\r\nsample format for the Filestream input.\r\n\r\n## Detailed Explanation\r\n\r\nWe add the optional `samplesFormat` group to the API, consisting of \r\n - `name`, \r\n - (optional) `multiline`, \r\n - and (optional) `json_path`.\r\n\r\nExample values of this parameter:\r\n\r\n- `{ name: 'ndjson', multiline: false }` for a newline-delimited JSON,\r\nknown as [NDJSON](https://github.com/ndjson/ndjson-spec) (where each\r\nentry only takes one line)\r\n- `{ name: 'ndjson', multiline: true }` for newline-delimited JSON where\r\neach entry can span multiline lines\r\n- `{ name: 'json', json_path: [] }` for valid JSON with the structure\r\n`[{\"key\": \"message1\"}, {\"key\": \"message2\"}]`\r\n- `{ name: 'json', json_path: ['events'] }` for valid JSON with the\r\nstructure `{\"events\": [{\"key\": \"message1\"}, {\"key\": \"message2\"}]}`\r\n\r\nThe `json_path` parameter is only relevant for `name: 'json'` and refers\r\nto the path in the original JSON to the array representing the events to\r\ningest. Currently only one level is recognized:\r\n\r\nNot all combinations of a log format with input type will work; more\r\nsupported combinations as well as better user feedback on unsupported\r\ncombinations will come later (see\r\nhttps://github.com/elastic/security-team/issues/10290).\r\n\r\nIn this PR we add support for the multiline NDJSON format for the\r\n`fileinput` input type. This support comes in the form of the\r\nuser-changeable toggle under \"Advanced Settings\" that will be set to on\r\nin cases where we multiline NDJSON format\r\n\r\n---------\r\n\r\nCo-authored-by: Marius Iversen <marius.iversen@elastic.co>\r\nCo-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>","sha":"2a8b6d0a4490fbf09ccd3d03ab1b3a1fcfa9ec1c"}}]}] BACKPORT--> Co-authored-by: Ilya Nikokoshev <ilya.nikokoshev@elastic.co>
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This adds a
samplesFormatgroup to the API. This group is filled out by the frontend when parsing the provided samples and used to set the log parsing specification for the produced integration.We check this parameter to add toggle to support multiline newline-delimited JSON in the
filestreaminput.Closes https://github.com/elastic/security-team/issues/10277
Release note
Automatic Import now supports the 'multiline newline-delimited JSON' log sample format for the Filestream input.
Detailed Explanation
We add the optional
samplesFormatgroup to the API, consisting ofname,multiline,json_path.Example values of this parameter:
{ name: 'ndjson', multiline: false }for a newline-delimited JSON, known as NDJSON (where each entry only takes one line){ name: 'ndjson', multiline: true }for newline-delimited JSON where each entry can span multiline lines{ name: 'json', json_path: [] }for valid JSON with the structure[{"key": "message1"}, {"key": "message2"}]{ name: 'json', json_path: ['events'] }for valid JSON with the structure{"events": [{"key": "message1"}, {"key": "message2"}]}The
json_pathparameter is only relevant forname: 'json'and refers to the path in the original JSON to the array representing the events to ingest. Currently only one level is recognized:Not all combinations of a log format with input type will work; more supported combinations as well as better user feedback on unsupported combinations will come later (see https://github.com/elastic/security-team/issues/10290).
In this PR we add support for the multiline NDJSON format for the
fileinputinput type. This support comes in the form of the user-changeable toggle under "Advanced Settings" that will be set to on in cases where we multiline NDJSON formatExample with the Crowdstrike Falcon Events integration (toggle is present, and defaults to on):
Log sample file
Checklist
Note we do not provide i18n support for texts within the integration:
Risk Matrix
None identified.
For maintainers