Skip to content

[8.19] 🌊 Streams: Normalized format for wired streams (#205113)#221778

Merged
flash1293 merged 3 commits intoelastic:8.19from
flash1293:backport/8.19/pr-205113
Jun 2, 2025
Merged

[8.19] 🌊 Streams: Normalized format for wired streams (#205113)#221778
flash1293 merged 3 commits intoelastic:8.19from
flash1293:backport/8.19/pr-205113

Conversation

@flash1293
Copy link
Contributor

@flash1293 flash1293 commented May 28, 2025

Backport

This will backport the following commits from main to 8.19:

Questions ?

Please refer to the Backport tool documentation

@flash1293
🌊 Streams: Normalized format for wired streams (elastic#205113)
bd9f1ac 
This PR extends streams to allow mixed otel/ecs querying.

Walkthrough (slightly outdated):

https://github.com/user-attachments/assets/9d6280ff-57b2-43d8-9c81-dfbfabb64585

<img width="492" alt="Screenshot 2025-03-07 at 17 15 27"
src="https://github.com/user-attachments/assets/792fbbc2-6cbe-42fe-96b3-eea2b6959fe5"
/>

# To test

* Start up PR, enable streams via `POST kbn:/api/streams/_enable`
* Redirect all incoming logs to streams:
```
PUT _ingest/pipeline/logs@custom
{
  "processors": [
    {
      "reroute": {
        "destination": "logs"
      }
    }
  ]
}
```
* Send some logs
* They will be trandslated to namespaced ECS and can be queried the same
way

Some demo actions:
```
# Make sure trial license is active (because of synthetic source)

# Enable streams
POST kbn:/api/streams/_enable

# Fork some data to be able to edit mapping and stuff
POST kbn:/api/streams/logs/_fork
{
  "stream": { "name": "logs.child" },
  "if": {
    "field": "attributes.custom_field",
    "operator": "exists"
  }
}
# Routing could have been done on "custom_field" as well

# Send some ECS-formatted data
POST logs/_doc
{
  "message": "Hello world",
  "log.level": "warn",
  "host": {
    "name": "my-mbp",
    "ip": "1.2.3.4"
  },
  "custom_field": "value2"
}

# Send some OTel-formatted data
POST logs/_doc
{
  "body": {
    "text": "Hello OTEL world"
  },
  "severity_text": "warn",
  "resource": {
    "attributes": {
      "host.name": "my-mbp",
      "host.ip": "1.2.3.4"
    }
  },
  "attributes": {
    "custom_field": "value"
  }
}

# See how it's stored as namespaced ECS (beware automatic aliasing)
GET logs.child/_search

# See the fields and their aliases
GET kbn:/api/streams/logs.child

# Nested data treatment (objects flattened, arrays kept)
POST logs/_doc
{
  "message": "Hello world",
  "log.level": "warn",
  "host": {
    "name": "my-mbp",
    "ip": "1.2.3.4"
  },
  "custom_field": "value2",
  "nested_custom_field": {
    "deeply": {
      "deeply": {
        "nested": "value"
      }
    }
  },
  "array_values": [
    { "deeply": { "nested": 123 }},
    { "deeply": { "nested": 456 }}
  ]
}

GET logs.child/_search

# Map a field (show alias in app)
PUT kbn:/api/streams/logs.child/_ingest
{
  "ingest": {
    "lifecycle": {
      "inherit": {}
    },
    "processing": [],
    "routing": [],
    "wired": {
      "fields": {
        "attributes.custom_value": {
          "type": "keyword"
        }
      }
    }
  }
}
# Trying to map "custom_value" will result in an error - only attributes.* and resource_attributes.* can be mapped

# End experiment
POST kbn:/api/streams/_disable
```

## Do on separate PRs

* More dedicated integration tests
* Replace the painless implementation of normalization with an
Elasticsearch processor (not shipped yet)
* Remove the dot expander processors once Elasticsearch allows accessing
flattened field names

---------

Co-authored-by: Chris Cowan <chris@elastic.co>
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
(cherry picked from commit 440aeab)

# Conflicts:
#	x-pack/test/api_integration/deployment_agnostic/apis/observability/streams/enrichment.ts
@flash1293 flash1293 requested a review from kibanamachine as a code owner May 28, 2025 13:01
@flash1293 flash1293 added the backport This PR is a backport of another PR label May 28, 2025
@flash1293 flash1293 enabled auto-merge (squash) May 28, 2025 13:01
@flash1293 flash1293 mentioned this pull request May 28, 2025
Merged
@flash1293 flash1293 merged commit 9f45a6e into elastic:8.19 Jun 2, 2025
8 checks passed
@elasticmachine
Copy link
Contributor

elasticmachine commented Jun 2, 2025

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
streamsApp 516 517 +1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/streams-schema 212 220 +8

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
streamsApp 561.9KB 562.3KB +490.0B

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
@kbn/streams-schema 17 16 -1
Unknown metric groups

API count

id before after diff
@kbn/streams-schema 221 229 +8

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tonyghiani tonyghiani tonyghiani approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@flash1293 @elasticmachine @tonyghiani @kibanamachine