[Filebeat] backwards compatibility for set processor#20908
Merged
leehinman merged 3 commits intoelastic:masterfrom Sep 3, 2020
Merged
[Filebeat] backwards compatibility for set processor#20908leehinman merged 3 commits intoelastic:masterfrom
leehinman merged 3 commits intoelastic:masterfrom
Conversation
Contributor
|
Pinging @elastic/siem (Team:SIEM) |
b72b450 to
290c0ea
Compare
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
- "ignore_empty_value" option for the set processor only works on elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch.
290c0ea to
84cc638
Compare
andrewkroh
reviewed
Sep 1, 2020
Member
andrewkroh
left a comment
There was a problem hiding this comment.
Just a few minor suggestions.
filebeat/fileset/pipelines.go
Outdated
| if !ok { | ||
| continue | ||
| } | ||
| newIf := strings.ReplaceAll(val, "{", "") |
Member
There was a problem hiding this comment.
How about TrimLeft and TrimRight for these two?
filebeat/fileset/pipelines.go
Outdated
| newIf = strings.TrimSpace(newIf) | ||
| newIf = strings.ReplaceAll(newIf, ".", "?.") | ||
| newIf = "ctx?." + newIf + " != null" | ||
| logp.Debug("modules", "in pipeline %s replacing unsupported 'ignore_empty_value' with if %s in set processor", pipelineID, newIf) |
Member
There was a problem hiding this comment.
Suggested change
| logp.Debug("modules", "in pipeline %s replacing unsupported 'ignore_empty_value' with if %s in set processor", pipelineID, newIf) | |
| logp.Debug("modules", "In pipeline %s replacing unsupported 'ignore_empty_value' with if %q in set processor", pipelineID, newIf) |
| "set": map[string]interface{}{ | ||
| "field": "rule.name", | ||
| "value": "{{panw.panos.ruleset}}", | ||
| "ignore_empty_value": true, |
Member
There was a problem hiding this comment.
How about a test case for when the pipeline already has an if and it has ignore_empty_value. Perhaps it should just drop the ignore_empty_value in that case?
CHANGELOG.next.asciidoc
Outdated
| - Fix long registry migration times. {pull}20717[20717] {issue}20705[20705] | ||
| - Fix event types and categories in auditd module to comply with ECS {pull}20652[20652] | ||
| - Update documentation in the azure module filebeat. {pull}20815[20815] | ||
| - provide backwards compatibility for set processor and elasticsearch less than 7.9.0 {pull}20908[20908] |
Member
There was a problem hiding this comment.
Suggested change
| - provide backwards compatibility for set processor and elasticsearch less than 7.9.0 {pull}20908[20908] | |
| - Provide backwards compatibility for the `set` processor when Elasticsearch is less than 7.9.0. {pull}20908[20908] |
andrewkroh
approved these changes
Sep 2, 2020
Member
andrewkroh
left a comment
There was a problem hiding this comment.
LGTM. Can you try testing the modules locally against 7.8 if you haven't already.
I think if you export TESTING_ENVIRONMENT=latest and roll back to 7.8 in https://github.com/elastic/beats/blob/master/testing/environments/latest.yml#L6-L29 while running the module tests it will use 7.8.
Contributor
Author
All tests passed with TESTING_ENVIRONMENT=latest & setting version to 7.8.0 in latest.yml Also tried loading the zeek module against 7.8.1 & 7.9.0 clusters: 7.8.1 clustersetup outputResulting set processor7.9.0 clustersetup outputResulting set processor |
leehinman
added a commit
to leehinman/beats
that referenced
this pull request
Sep 3, 2020
- "ignore_empty_value" option for the set processor only works on Elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch. (cherry picked from commit 0032c0c)
6 tasks
6 tasks
andrewkroh
pushed a commit
to andrewkroh/beats
that referenced
this pull request
Sep 14, 2020
- "ignore_empty_value" option for the set processor only works on Elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch. (cherry picked from commit 0032c0c)
leehinman
added a commit
that referenced
this pull request
Sep 15, 2020
- "ignore_empty_value" option for the set processor only works on Elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch. (cherry picked from commit 0032c0c)
leehinman
added a commit
that referenced
this pull request
Sep 15, 2020
- "ignore_empty_value" option for the set processor only works on Elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch. (cherry picked from commit 0032c0c) Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com>
melchiormoulin
pushed a commit
to melchiormoulin/beats
that referenced
this pull request
Oct 14, 2020
- "ignore_empty_value" option for the set processor only works on Elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch.
leweafan
pushed a commit
to leweafan/beats
that referenced
this pull request
Apr 28, 2023
…lastic#21084) - "ignore_empty_value" option for the set processor only works on Elasticsearch >= 7.9.0. This change removes that option and replaces it with an if statement if pipeline is loaded on an earlier version of elasticsearch. (cherry picked from commit b6162c4) Co-authored-by: Lee Hinman <57081003+leehinman@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
When loading a pipeline this change checks the elasticsearch version
and if the version is less than 7.9.0 it will replace the
"ignore_empty_value" option with an equivalent if statement on the set
processor.
Why is it important?
This allows filebeat > 7.9.0 to be used with older versions of
elasticsearch. Without it the pipelines fail to load because the
option isn't supported.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.How to test this PR locally
run
filebeat modules enable zeek && filebeat -e setupLogs
Error
With fix: