Large integers from CEL arrive in ES as Doubles

[chrisberkhout]

Elasticsearch is okay with integers like 235549249 and larger, and can convert them to strings.

Expand for an Elasticsearch example

PUT _ingest/pipeline/test_convert
{
  "description": "Pipeline to test conversion of large integers",
  "processors": [
    {
      "convert": {
        "field": "small",
        "target_field": "small_string",
        "type": "string"
      }
    },
    {
      "convert": {
        "field": "large",
        "target_field": "large_string",
        "type": "string"
      }
    }
  ]
}

POST _ingest/pipeline/test_convert/_simulate
{
  "docs": [
    {
      "_source": {
        "small": 12345,
        "large": 2355492490000000000
      }
    }
  ]
}

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "small": 12345,
          "large": 2355492490000000000,
          "small_string": "12345",
          "large_string": "2355492490000000000"
        },
        "_ingest": {
          "timestamp": "2025-04-03T08:58:03.968461461Z"
        }
      }
    }
  ]
}

However, when receiving such a number from Beats (at least from the CEL input), it is of type Double.

The convert processor will produce the string "2.35549249E8". Trying to convert to an integer before converting to a string fails with an error message saying it can't convert the string "2.35549249E8" (so, the convert processor doesn't natively convert from Double to integer).

Expand for a script processor that does a type check and conversion in Painless

  - script:
      description: Convert large integer to a string without an exponent
      lang: painless
      source: |
        def value = (Object) ctx.json.id;
        if (value instanceof Integer) {
            ctx.json["id_type_name"] = "Integer";
        } else if (value instanceof Double) {
            ctx.json["id_type_name"] = "Double";
        } else if (value instanceof String) {
            ctx.json["id_type_name"] = "String";
        } else {
            ctx.json["id_type_name"] = "Unknown";
        }
        ctx.json.id = Long.toString((long) ctx.json.id);

Result:

json.id_type_name = "Double"
json.id = 235549249

This requires special handling, such as in the ti_anomali integration. In that case, notice that the original server response is an integer in JSON (e.g. "id":235548914 in the system test response), and the CEL also reserializes into JSON as an integer.

This raises some questions:

• What JSON is being sent to Elasticsearch in such cases?
• Why is this happening for relatively small integers?
• Is there an issue in cel-go or the CEL input or Beats that could be fixed to improve this?

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

I believe this is a result of this code (tested). The way to avoid this would be to provide our own ConvertToNative implementation. This could fall back to the default one for all types except int.

[efd6]

Looking further at the backing code in this, we are constrained by protobuf structpb.Value types which only allow expression of numbers as doubles. We could do one of two things in the code that we do have control over:

1. do as I suggested in Large integers from CEL arrive in ES as Doubles #43659 (comment), but rather than the implied conversion to an integer type (not available) always fall back to string representation for numbers.
2. completely reimplement a type system to replace the structpb.Value

I don't think 2. is a sensible thing to do and I am concerned about the possible surprise that 1. would cause.

The surprise needs discussion; currently, any number that's returned by a CEL evaluation is returned either as a float64 (within the range that the float can be exactly represented as an integer) or a string (outside that range). The range is -2⁵³ to 2⁵³, which is unlikely to be hit by most normal number uses in a integration. Making all numbers being returned by evaluations be strings would bring that tenuous nature of reality in to stark light. People who are expecting very large numbers will presumably already be aware of the historical consequences of JavaScript's unfortunate choice of number systems when dealing with JSON.

In the issue it's noted that a conversion to integer first does not work. This is true for the convert processors, but it is not the case for script processors, and I believe that the convert processor should be able to convert from double to long (potentially failing — maybe).

Expand for an Elasticsearch convert failure

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "convert": {
          "field": "value",
          "target_field": "final",
          "type": "long"
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "value": 9007199254740991
      }
    },
    {
      "_source": {
        "value": 9007199254740991.0
      }
    },
    {
      "_source": {
        "value": "9007199254740991"
      }
    }
  ]
}

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": 9007199254740992
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:59:51.39992104Z"
        }
      }
    },
    {
      "error": {
        "root_cause": [
          {
            "type": "illegal_argument_exception",
            "reason": "unable to convert [9.007199254740991E15] to long"
          }
        ],
        "type": "illegal_argument_exception",
        "reason": "unable to convert [9.007199254740991E15] to long",
        "caused_by": {
          "type": "number_format_exception",
          "reason": "For input string: \"9.007199254740991E15\""
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740991,
          "value": "9007199254740991"
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:59:51.399935971Z"
        }
      }
    }
  ]
}

So, I think that the best thing to do here, after reflecting on what we've done to the state of programming as a species with JS, is to use a script processor when numbers are involved in situations like this. Probably also suggesting that the convert processor be fixed™ to allow interconversion of numeric types.

Expand for an Elasticsearch script conversion

POST _ingest/pipeline/_simulate
{
  "pipeline": {
    "processors": [
      {
        "script": {
          "if": "ctx.value != null",
          "source": """
            if (ctx.value instanceof String) {
              ctx.final = Long.parseLong(ctx.value);
            } else {
              ctx.final = (long)ctx.value;
            }
          """
        }
      }
    ]
  },
  "docs": [
    {
      "_source": {
        "value": 9007199254740991
      }
    },
    {
      "_source": {
        "value": 9007199254740992
      }
    },
    {
      "_source": {
        "value": 9007199254740993
      }
    },
    {
      "_source": {
        "value": 9007199254740991.0
      }
    },
    {
      "_source": {
        "value": 9007199254740992.0
      }
    },
    {
      "_source": {
        "value": 9007199254740993.0
      }
    },
    {
      "_source": {
        "value": "9007199254740991"
      }
    },
    {
      "_source": {
        "value": "9007199254740992"
      }
    },
    {
      "_source": {
        "value": "9007199254740993"
      }
    }
  ]
}

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740991,
          "value": 9007199254740991
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266412559Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": 9007199254740992
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266434027Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": 9007199254740992
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266439562Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740991,
          "value": 9007199254740991
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266443997Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": 9007199254740992
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266448099Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": 9007199254740992
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.26645214Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740991,
          "value": "9007199254740991"
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266456339Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": "9007199254740992"
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266460327Z"
        }
      }
    },
    {
      "doc": {
        "_index": "_index",
        "_version": "-3",
        "_id": "_id",
        "_source": {
          "final": 9007199254740992,
          "value": "9007199254740993"
        },
        "_ingest": {
          "timestamp": "2025-05-15T06:21:17.266464349Z"
        }
      }
    }
  ]
}

[chrisberkhout]

I agree that the convert processor should be enhanced to be able to convert Double to Long.

However, it looks like normal protobuf serialization will turn a float64 number value into a JSON number without a decimal point or an exponent (example below), following the normal JSON rules (or some variant of them).

So I'm not sure why that doesn't happen for us. I think using that standard serialization would be the least surprising thing.

Expand for an example converting a protobuf to JSON and getting no decimal point

package main

import (
	"fmt"

	"google.golang.org/protobuf/encoding/protojson"
	"google.golang.org/protobuf/types/known/structpb"
)

func main() {
	val := structpb.NewNumberValue(235549249.0)
	jsonBytes, _ := protojson.Marshal(val)
	fmt.Printf("JSON output: %s\n", string(jsonBytes))
}

JSON output: 235549249

[efd6]

The JSON that's sent to ES is serialised out of our (SSI) control. There is a possibility of a fix there.

A more accurate reflection of what is happening in the input is

package main

import (
	"encoding/json"
	"fmt"
	"log"

	"google.golang.org/protobuf/types/known/structpb"
)

func main() {
	val, err := structpb.NewValue(map[string]any{"f": 235549249.0})
	if err != nil {
		log.Fatal(err)
	}
	b, err := json.Marshal(val.AsInterface())
	if err != nil {
		log.Fatal(err)
	}
	fmt.Printf("JSON output: %s\n", b)
}

but this also gives the non-e-notation syntax. This further supports the notion that the weird formatting is coming from somewhere else, likely in libbeat I guess. It would be nice to be able to see the bytes that are sent in the publish calls.

[efd6]

ES issue: elastic/elasticsearch#128160

[efd6]

The serialisation comes into effect either in the memory queue implementation here with this

package main

import (
	"fmt"
	"strconv"
)

func main() {
	fmt.Printf("%s\n", strconv.AppendFloat(nil, 235548914, 'g', -1, 64))
	fmt.Printf("%s\n", strconv.AppendFloat(nil, 10, 'g', -1, 64))
}

2.35548914e+08
10

or in the disk queue implementation here which will similarly enforce floatiness on a float type.

This then gets ossified into the value by the convert processor here which similarly, to the JSON encoder above, uses a rendering that prematurely enforces scientific notation.

Because of this, I think that the script approach above is the least worst (with an unfortunately low bar) to dealing with this.

[efd6]

I've added a note to the Fleet Package Code Review Comments to provided guidance for integration authors for this.