Migration of metricset.* fields to ECS#8941
Conversation
ruflin
added
in progress
metricbeat/mb/event.go
Outdated
There was a problem hiding this comment.
@webmat To make things a bit more interesting, Host here contains also the Port number. For example elasticsearch:9200.
metricbeat/mb/event.go
Outdated
There was a problem hiding this comment.
This is described as being in nanoseconds in ECS.
There was a problem hiding this comment.
@spinscale What will happen if we send nano seconds data to ES versions prior 7?
There was a problem hiding this comment.
Good point, will convert it.
Also not related to nano second support in ES as it's not a timestamp.
There was a problem hiding this comment.
@andrewkroh As this is a breaking change, I wonder if we want to keep the old field around?
Other option would be to introduce the new field in nano seconds already in 6.6, deprecate the other one and then remove it in 7.0?
There was a problem hiding this comment.
The plan you describe sounds good to me. Have both in 6.6 and remove rtt in 7.0.
ruflin
force-pushed
the
migrate-metricset
branch
3 times, most recently
from
675f8eb to
bba0dc1
Compare
dev-tools/ecs-migration.yml
Outdated
There was a problem hiding this comment.
Hmmm, service doesn't have domain, ip or port.
Is the intent to represent the address exposed by a service? E.g.
service.name: sshd
service.port: 22
service.ip: 10.10.10.10
service.domain: (hostname on the local network)There was a problem hiding this comment.
It is the host/hostname that the user configured to connect to the service to fetch the information.
There was a problem hiding this comment.
In the case of mysql this can also look like:
hosts: ["root:secret@tcp(127.0.0.1:3306)/"]
I'm thinking to call it uri or connection. Other ideas? I'm more reverting now from splitting this one up and just keep it as defined (without credentials).
There was a problem hiding this comment.
I was thinking of introducing a field for these ambiguous addresses as address. It's an extremely generic word, it doesn't clash with any of the words used in the RFC that have a somewhat specific meaning like "host", "hostname", or "authority". address also kinda works for situations where e.g. NGINX or HAProxy shove a unix socket in the "IP" field.
I think "address" could also work for DSNs like the mysql example above.
dev-tools/ecs-migration.yml
Outdated
There was a problem hiding this comment.
Yeah if this one is changing by a factor of 1 000, I think we can't make this an alias. We'll have to manage the deprecation a bit more manually. Example:
6.x
- Mark
metricset.rttas deprecated - Keep populating
metricset.rttfield with microseconds - Start populating
event.durationfield with nanoseconds - Convert all visualizations to use new field
- Make sure to correctly set Kibana Index Pattern units for new field
7.0
- remove
metricset.rtt
There was a problem hiding this comment.
Agree on the field migration path. For the dashboards we can't start to use it in 6.x as otherwise it would break with older data.
ruflin
force-pushed
the
migrate-metricset
branch
from
c283bab to
db93785
Compare
CHANGELOG.asciidoc
Outdated
There was a problem hiding this comment.
s/micro seconds/microseconds/
metricbeat/mb/event.go
Outdated
There was a problem hiding this comment.
The plan you describe sounds good to me. Have both in 6.6 and remove rtt in 7.0.
ruflin
force-pushed
the
migrate-metricset
branch
2 times, most recently
from
c5bbe41 to
382b032
Compare
ruflin
added
review
and removed
in progress
ruflin
changed the title
|
Here is the 6.x PR to introduce |
ruflin
force-pushed
the
migrate-metricset
branch
2 times, most recently
from
410d653 to
9662a1d
Compare
dev-tools/ecs-migration.yml
Outdated
There was a problem hiding this comment.
@ruflin Note for myself: This should be service.address
ruflin
force-pushed
the
migrate-metricset
branch
from
a6edeb5 to
a7ad64f
Compare
|
jenkins, test this |
ruflin
force-pushed
the
migrate-metricset
branch
from
a7ad64f to
53e763b
Compare
|
jenkins, test this |
webmat
left a comment
webmat
left a comment
There was a problem hiding this comment.
I will say someone much more familiar with these tests should probably review this. I don't feel like I know enough to spot any problems or missing changes.
I did still notice things that seem wrong to me:
- Please address the question about
service.address - Amidst all of the changes to the test files, there are 3 removals that seem suspicious. They can't be explained by field names or values changing. Are these expected?
First point I think is a potential blocker. Second point, I'm not sure if I'm misunderstanding the situation, this may be expected and not a blocker.
webmat
left a comment
webmat
left a comment
There was a problem hiding this comment.
In this case, this LGTM.
But as I said, someone more familiar with these tests should likely have a look as well.
ruflin
force-pushed
the
migrate-metricset
branch
2 times, most recently
from
558ba1a to
3459740
Compare
* Add `event.dataset` as `{module}.{metricset}` but keep `metricset.name` around for backward compatiblity.
* Add `event.duration` which comes from `metricset.rtt` but is now in nano instead of micro seconds. `event.duration` will be introduce in 6.x already.
* Rename `metricset.module` to `event.module`
* Rename `metricset.host` to `service.uri`
* Removed `metricset.namespace` as this becomes `event.dataset` and should now always be set.
Further changes
* Updated some of the data.json files as example
* Migration file updated
* Old field definitions removed
* System tests updated
add event field
enable ES again
fix redis test
fix check for host field
improve changelog and add todo
change uri to address
update fields
one more update
ruflin
force-pushed
the
migrate-metricset
branch
from
3459740 to
da2f000
Compare
3 participants
event.datasetas{module}.{metricset}but keepmetricset.namearound for backward compatiblity.event.durationwhich comes frommetricset.rttbut is now in nano instead of micro seconds.event.durationwill be introduce in 6.x already.metricset.moduletoevent.modulemetricset.hosttoservice.addressmetricset.namespaceas this becomesevent.datasetand should now always be set.Further changes