-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Automatic Import] Handle the fields generated by grok processor before handling rename processor #194205
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:AutomaticImport
Team:Security-Scalability
Team label for Security Integrations Scalability Team
Comments
bhapas
added
bug
Fixes for quality problems that affect the customer experience
Feature:AutomaticImport
Team:Security-Scalability
Team label for Security Integrations Scalability Team
labels
Sep 26, 2024
Pinging @elastic/security-scalability (Team:Security-Scalability) |
1 task
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Oct 3, 2024
…lastic#194727) ## Release Note Fixes a bug to resolve non-ecs compatible fields in Structured / Unstructured syslog processing in Automatic Import. ## Summary elastic#194205 explains the issue. This PR fixes `packageName.dataStreamName` for handling header values from grok processor for KV graph so that ecs mapping gets the header values in the converted json Samples too.. ### Before this PR ![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03) ### After this PR <img width="706" alt="image" src="https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901"> - Closes elastic#194205 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit b38941b)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Oct 3, 2024
…lastic#194727) ## Release Note Fixes a bug to resolve non-ecs compatible fields in Structured / Unstructured syslog processing in Automatic Import. ## Summary elastic#194205 explains the issue. This PR fixes `packageName.dataStreamName` for handling header values from grok processor for KV graph so that ecs mapping gets the header values in the converted json Samples too.. ### Before this PR ![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03) ### After this PR <img width="706" alt="image" src="https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901"> - Closes elastic#194205 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit b38941b)
kibanamachine
added a commit
that referenced
this issue
Oct 3, 2024
…ssor (#194727) (#194792) # Backport This will backport the following commits from `main` to `8.15`: - [[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)](#194727) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Bharat Pasupula","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-03T09:14:39Z","message":"[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)\n\n## Release Note\r\n\r\nFixes a bug to resolve non-ecs compatible fields in Structured /\r\nUnstructured syslog processing in Automatic Import.\r\n\r\n## Summary\r\n\r\nhttps://github.com//issues/194205 explains the issue. \r\n\r\nThis PR fixes `packageName.dataStreamName` for handling header values\r\nfrom grok processor for KV graph so that ecs mapping gets the header\r\nvalues in the converted json Samples too..\r\n\r\n### Before this PR\r\n\r\n![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03)\r\n\r\n\r\n### After this PR\r\n\r\n<img width=\"706\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901\">\r\n\r\n\r\n- Closes https://github.com/elastic/kibana/issues/194205\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"b38941be7a253c80d426a49af806575ba15652a5","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","backport:prev-major","Team:Security-Scalability","Feature:AutomaticImport"],"title":"[Automatic Import] Fix Non-ecs compatible fields in grok processor","number":194727,"url":"https://github.com/elastic/kibana/pull/194727","mergeCommit":{"message":"[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)\n\n## Release Note\r\n\r\nFixes a bug to resolve non-ecs compatible fields in Structured /\r\nUnstructured syslog processing in Automatic Import.\r\n\r\n## Summary\r\n\r\nhttps://github.com//issues/194205 explains the issue. \r\n\r\nThis PR fixes `packageName.dataStreamName` for handling header values\r\nfrom grok processor for KV graph so that ecs mapping gets the header\r\nvalues in the converted json Samples too..\r\n\r\n### Before this PR\r\n\r\n![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03)\r\n\r\n\r\n### After this PR\r\n\r\n<img width=\"706\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901\">\r\n\r\n\r\n- Closes https://github.com/elastic/kibana/issues/194205\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"b38941be7a253c80d426a49af806575ba15652a5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194727","number":194727,"mergeCommit":{"message":"[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)\n\n## Release Note\r\n\r\nFixes a bug to resolve non-ecs compatible fields in Structured /\r\nUnstructured syslog processing in Automatic Import.\r\n\r\n## Summary\r\n\r\nhttps://github.com//issues/194205 explains the issue. \r\n\r\nThis PR fixes `packageName.dataStreamName` for handling header values\r\nfrom grok processor for KV graph so that ecs mapping gets the header\r\nvalues in the converted json Samples too..\r\n\r\n### Before this PR\r\n\r\n![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03)\r\n\r\n\r\n### After this PR\r\n\r\n<img width=\"706\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901\">\r\n\r\n\r\n- Closes https://github.com/elastic/kibana/issues/194205\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"b38941be7a253c80d426a49af806575ba15652a5"}}]}] BACKPORT--> Co-authored-by: Bharat Pasupula <[email protected]>
kibanamachine
added a commit
that referenced
this issue
Oct 3, 2024
…sor (#194727) (#194793) # Backport This will backport the following commits from `main` to `8.x`: - [[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)](#194727) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Bharat Pasupula","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-03T09:14:39Z","message":"[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)\n\n## Release Note\r\n\r\nFixes a bug to resolve non-ecs compatible fields in Structured /\r\nUnstructured syslog processing in Automatic Import.\r\n\r\n## Summary\r\n\r\nhttps://github.com//issues/194205 explains the issue. \r\n\r\nThis PR fixes `packageName.dataStreamName` for handling header values\r\nfrom grok processor for KV graph so that ecs mapping gets the header\r\nvalues in the converted json Samples too..\r\n\r\n### Before this PR\r\n\r\n![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03)\r\n\r\n\r\n### After this PR\r\n\r\n<img width=\"706\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901\">\r\n\r\n\r\n- Closes https://github.com/elastic/kibana/issues/194205\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"b38941be7a253c80d426a49af806575ba15652a5","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["bug","release_note:fix","v9.0.0","backport:prev-major","Team:Security-Scalability","Feature:AutomaticImport"],"title":"[Automatic Import] Fix Non-ecs compatible fields in grok processor","number":194727,"url":"https://github.com/elastic/kibana/pull/194727","mergeCommit":{"message":"[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)\n\n## Release Note\r\n\r\nFixes a bug to resolve non-ecs compatible fields in Structured /\r\nUnstructured syslog processing in Automatic Import.\r\n\r\n## Summary\r\n\r\nhttps://github.com//issues/194205 explains the issue. \r\n\r\nThis PR fixes `packageName.dataStreamName` for handling header values\r\nfrom grok processor for KV graph so that ecs mapping gets the header\r\nvalues in the converted json Samples too..\r\n\r\n### Before this PR\r\n\r\n![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03)\r\n\r\n\r\n### After this PR\r\n\r\n<img width=\"706\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901\">\r\n\r\n\r\n- Closes https://github.com/elastic/kibana/issues/194205\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"b38941be7a253c80d426a49af806575ba15652a5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194727","number":194727,"mergeCommit":{"message":"[Automatic Import] Fix Non-ecs compatible fields in grok processor (#194727)\n\n## Release Note\r\n\r\nFixes a bug to resolve non-ecs compatible fields in Structured /\r\nUnstructured syslog processing in Automatic Import.\r\n\r\n## Summary\r\n\r\nhttps://github.com//issues/194205 explains the issue. \r\n\r\nThis PR fixes `packageName.dataStreamName` for handling header values\r\nfrom grok processor for KV graph so that ecs mapping gets the header\r\nvalues in the converted json Samples too..\r\n\r\n### Before this PR\r\n\r\n![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03)\r\n\r\n\r\n### After this PR\r\n\r\n<img width=\"706\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901\">\r\n\r\n\r\n- Closes https://github.com/elastic/kibana/issues/194205\r\n\r\n### Checklist\r\n\r\nDelete any items that are not applicable to this PR.\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"b38941be7a253c80d426a49af806575ba15652a5"}}]}] BACKPORT--> Co-authored-by: Bharat Pasupula <[email protected]>
tiansivive
pushed a commit
to tiansivive/kibana
that referenced
this issue
Oct 7, 2024
…lastic#194727) ## Release Note Fixes a bug to resolve non-ecs compatible fields in Structured / Unstructured syslog processing in Automatic Import. ## Summary elastic#194205 explains the issue. This PR fixes `packageName.dataStreamName` for handling header values from grok processor for KV graph so that ecs mapping gets the header values in the converted json Samples too.. ### Before this PR ![image](https://github.com/user-attachments/assets/d2660f7d-2cca-413c-ab90-1a0f3e1b4a03) ### After this PR <img width="706" alt="image" src="https://github.com/user-attachments/assets/954b5a91-2123-46f9-b822-1709c3247901"> - Closes elastic#194205 ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:AutomaticImport
Team:Security-Scalability
Team label for Security Integrations Scalability Team
Background
#192817 and #191749 have introduced support for unstructured and structured syslog samples in Automatic Import.
Current Behaviour
While fixing #194203 , it has been identified that the field names produced by grok processor does not have
packageName.datastreamName
as a prefix to them.Like
And then it will be followed by few rename processors that rename the field to an ecs field and it looks like
Issue
Since grok processor does not produce the fields with
integ.ds
prefix rename processor does not rename them tohost.hostname
orprocess.name
, thereby leaving the final document with non ecs compatible field mappingWorkaround
Currently the pipeline generated by Automatic Import can be edited to map to right ecs fields and that works , along with #194203.
The text was updated successfully, but these errors were encountered: