Skip to content

Commit 2ced454

Browse files
author
kaiyan-sheng
authored
Check expand_event_list_from_field when json in map[string]interface{} format (#20370)
1 parent 3e66a8a commit 2ced454

2 files changed

Lines changed: 24 additions & 2 deletions

File tree

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -226,7 +226,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
226226
- Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984]
227227
- Fix auditd module syscall table for ppc64 and ppc64le. {pull}20052[20052]
228228
- Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552]
229-
- Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962]
229+
- Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] {pull}20370[20370]
230230
- Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138]
231231
- Fix support for message code 106100 in Cisco ASA and FTD. {issue}19350[19350] {pull}20245[20245]
232232
- Fix `fortinet` setting `event.timezone` to the system one when no `tz` field present {pull}20273[20273]

x-pack/filebeat/input/s3/input.go

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -526,10 +526,11 @@ func (p *s3Input) decodeJSON(decoder *json.Decoder, objectHash string, s3Info s3
526526
return nil
527527
}
528528

529-
offset, err = p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx)
529+
offsetNew, err := p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx)
530530
if err != nil {
531531
return err
532532
}
533+
offset = offsetNew
533534
}
534535
}
535536

@@ -554,6 +555,27 @@ func (p *s3Input) jsonFieldsType(jsonFields interface{}, offset int, objectHash
554555
return offset, nil
555556
}
556557
case map[string]interface{}:
558+
if p.config.ExpandEventListFromField != "" {
559+
textValues, ok := f[p.config.ExpandEventListFromField]
560+
if !ok {
561+
err := errors.Errorf("key '%s' not found", p.config.ExpandEventListFromField)
562+
p.logger.Error(err)
563+
return offset, err
564+
}
565+
566+
valuesConverted := textValues.([]interface{})
567+
for _, textValue := range valuesConverted {
568+
offsetNew, err := p.convertJSONToEvent(textValue, offset, objectHash, s3Info, s3Ctx)
569+
if err != nil {
570+
err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name)
571+
p.logger.Error(err)
572+
return offset, err
573+
}
574+
offset = offsetNew
575+
}
576+
return offset, nil
577+
}
578+
557579
offset, err := p.convertJSONToEvent(f, offset, objectHash, s3Info, s3Ctx)
558580
if err != nil {
559581
err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name)

0 commit comments

Comments
 (0)