Add geo fields to add_host_metadata processor.#9392
Conversation
andrewvc
added
enhancement
discuss
|
Pinging @elastic/uptime |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
nit: +1 on cloning, but from name only I would asMap expect to be a cast operation only. Caught me a little offguard when reading the argument for PutValue.
There was a problem hiding this comment.
Good point, I'll rename to mapClone().
There was a problem hiding this comment.
I'd prefer to have validation for at least the fields that are stored as geo point in Elasticsearch here.
There was a problem hiding this comment.
Ah, so we'd check the format to be a lat lon pair? I think that makes sense. Anything beyond that?
There was a problem hiding this comment.
yes, at least lat-lon pair.
The others are kind free form text and validating these might require a location database, right? We even store the others as keyword, so not that important. Validating them might be too much effort here (would be nice if we can do some simple validation - regex like -, but no hard requirement for me).
Most important is that indexing won't fail due to misconfiguration of the processor + maps in kibana dashboards will work correctly, cause lat lon pairs are correct and make sense.
There was a problem hiding this comment.
Validation added :)
There was a problem hiding this comment.
Should we / can we do any validation for the location field to make sure we don't have ingestion errors?
There was a problem hiding this comment.
Nit but I'm somehow used to have configs on top
There was a problem hiding this comment.
Does this really belong into the host? We are interested where the agent is running so it would be agent.geo?
There was a problem hiding this comment.
It's an interesting question. I agree that agent is slightly better, but I wonder if that is outweighed by the simplicity of not having yet another geo field. A location is tied to a host as much as it is tied to an agent.
There's an argument that's not true for the geo.name field we use, which is free-form, but perhaps we don't need to be so dogmatic there.
There was a problem hiding this comment.
One point that would speak for the host is that in the case of apm-server, apm-server is not the agent but the observer. There it would then be observer.geo.*. Having it under host would then not change it. I'm good with going with host.* for now and if someone is not happy with that, he can use the rename processor.
There was a problem hiding this comment.
+1 for not having agent.geo.*
As @ruflin says, in ECS, the agent is defined as running on a host or an observer.
Both host.geo.* and observer.geo.* are defined by ECS, so we are covered in either case.
|
After a discussion with @ruflin we decided to move this to the |
|
OK, redid the whole thing under the The only thing not yet done is the changes to fields.yml. Since this is now in ECS, is there a process for updated the ECS fields, or should I just manually add the ECS name field? |
andrewvc
force-pushed
the
new-geo-fields
branch
from
b36db5e to
c0587c7
Compare
andrewvc
changed the title
add_host_metadata processor.
ruflin
left a comment
ruflin
left a comment
There was a problem hiding this comment.
LGTM but we should add a CHANGELOG entry.
There was a problem hiding this comment.
I'm undecided if I like this one or not. It's good that we check the user input but it looks like really complex regexp where I must confess I could not easily review to make sure it's correct.
There was a problem hiding this comment.
I can break the regexp up into component strings to make ti more readable.
There was a problem hiding this comment.
FYI, the regexp isn't 100% accurate (it doesn't check the numeric bounds), but it's a lot better than nothing
There was a problem hiding this comment.
In b4feb7e I've made the regex more clear
|
@andrewvc Feel free to edit the ecs or the libbeat common file for the field, both works. |
andrewvc
force-pushed
the
new-geo-fields
branch
3 times, most recently
from
36f8a04 to
16524a6
Compare
|
Looks like rebasing of master gives us the geo fields thanks to @andrewkroh :) in #9121 |
ruflin
left a comment
ruflin
left a comment
There was a problem hiding this comment.
LGTM except a missing CHANGELOG entry.
Ignore the failing mac build as I stopped them.
There was a problem hiding this comment.
Nice. Thanks for all the details here.
webmat
left a comment
webmat
left a comment
There was a problem hiding this comment.
Looking great, love it.
Perhaps one more test for empty values being purged correctly, but other than this, LGTM
There was a problem hiding this comment.
Nice tests.
Perhaps one more to test "Delete any empty values"? Make sure your empty values include things like empty spaces too {"city_name": " "}
There was a problem hiding this comment.
@webmat I've added handling + tests for blank strings. Mind taking a look?
There was a problem hiding this comment.
Yeah good stuff.
Seems like I noticed the "din expect" typo too late for this PR ;-)
This lets users add geo data if they have it to the host
andrewvc
force-pushed
the
new-geo-fields
branch
from
16524a6 to
2e35691
Compare
ruflin
left a comment
ruflin
left a comment
There was a problem hiding this comment.
LGTM. Please ignore the failed test in Travis. Thought I fixed it but seems it still happens. Not related to this PR.
This lets users add geo data if they have it to the host (cherry picked from commit c6c4a30)
This lets users add geo data if they have it to the host (cherry picked from commit c6c4a30)
…ost_metadata) Same bug as the add_host_metadata fix: event.Fields.DeepUpdate(p.geoData) places direct references to the cached inner maps into the event. A downstream processor modifying observer.geo.* fields corrupts the cache for all subsequent events. add_observer_metadata was modeled after add_host_metadata and copied the same missing-Clone() pattern. The data path on line 94 already clones correctly: p.data.Get().Clone(). The geoData path did not. Introduced by PR elastic#5968 (Nicolas Ruflin, March 2018) and PR elastic#9392 (Andrew Cholakian, December 2018). Neither PR review discussed Clone() safety for geoData. https://claude.ai/code/session_01KRZtaDM6WsdBR2dhMpZTnD
Move the geoData.Clone() fix out of this PR. Instead: - Add BUG comment in add_host_metadata.go documenting the issue - Add reproduction filebeat configs (conditional + unconditional) - Add skipped tests (TestGeoDataNotCorruptedBetweenEvents, TestGeoDataCorruptionEndToEnd) that demonstrate the bug and describe the one-line fix - Revert add_observer_metadata.go change (same bug, same fix needed) The geoData cache corruption is a pre-existing upstream bug (since 2018, elastic/beats PRs elastic#5968 and elastic#9392). It should be filed as a separate issue with the repro configs and fixed in its own PR, since it's a different concern from the addFields performance optimization. https://claude.ai/code/session_01KRZtaDM6WsdBR2dhMpZTnD
8 participants
** EDIT ** I've left the original issue below the break, but after discussion we added geo fields to the
add_host_metadataprocessor instead of a new one. Original is belowThis carries over from the discussion from #8620 .
This adds a new processor that lets users easily add geo fields associated with the host that created the event. You would use it like so:
It's debate-able whether ECS should actually let you put these under perhaps
agent.geo. That's something we should discuss here.One other question here, should we just fold this functionality under
add_host_metadata? I believe that probably makes more sense. We agreed in #8620 to make this a separate processor, but with the data nested under host, that makes less sense IMHO.