Testing: Add config option to accept numeric keywords

[adriansr]

Keyword fields are not necessarily ingested as JSON strings. It's common to ingest numbers (integer or floating point) as keyword type.

This updates the fields validator to accept numeric values. They are converted to string so that any defined patterns can be checked.

This adds a new configuration option, numeric_keyword_fields, to pipeline test cases and system tests so that selected fields can have numeric type and be ingested into a text-like field.

Example configuration:

{
    "dynamic_fields": {
        "event.ingested": ".*"
    },
    "numeric_keyword_fields": [
        "network.iana_number",
        "event.code",
        "syslog.facility"
    ]
}

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #193 updated

• Start Time: 2020-12-11T09:02:20.334+0000

• Duration: 9 min 29 sec

Test stats 🧪

Test	Results
Failed	0
Passed	9
Skipped	0
Total	9

[ycombinator]

Ah, nice enhancement for even stricter validation! Thanks and LGTM.

[andrewkroh]

I prefer seeing JSON strings in the _source for fields mapped as keyword types, but since it's completely safe to map numbers to keywords (the inverse not being true) I'm ok loosening the restrictions to make developing packages a little simpler.

[adriansr]

In the end I think it makes more sense for this to be a configuration option to be set on a per-test-case basis, so I've modified the pipeline test runner to accept this new option.

[adriansr]

Let me explain the rationale behind these changes.

Across the Beats code base, there are some instances of fields that are defined as keyword type and they would be ingested as a numeric field the document's JSON. According to ES docs: Not all numeric data should be mapped as a numeric field data type. Elasticsearch optimizes numeric fields, such as integer or long, for range queries. However, keyword fields are better for term and other term-level queries.

Examples of such fields are:

• network.iana_number
• vlan.id
• dns.id
• observer.*.interface.id
• x509.version_number
• event.code: In the case of some external event sources
• {file,user}.{uid,gid}: for some Beats datasets, under a UNIX-like OS
• syslog.{facility,severity}: For Filebeat's syslog input (these need conversion to ECS, which uses long).
• elasticsearch.slowlog.{total_hits,total_shards}: These two really look like they should be a long.

There's probably many others, but it's difficult to spot them. I worry especially about cases where we are receiving an arbitrary set of keys (ex. via JSON) from an external source and storing those verbatim in the event with keyword type.

I see three possibilities for handling this:

• Do not accept numeric keywords. This will force us to modify the source of events (module/Beat) so that those numbers are converted to string before being published. This is not too complicated when the processing is performed in an ingest pipeline, but it will be more time consuming for fields generated outside a pipeline.
• Always accept numeric keywords. The original idea of this PR, after your feedback I realised it could be counter-intuitive.
• Make it an opt-in feature. The new version of this PR. By default validation will be strict but we it can be disabled on a per-field per-test-case basis.

[mtojek]

Thank you for the detailed explanation and possible options. I would for the first or third option:

Do not accept numeric keywords.
Make it an opt-in feature.

Actually I like the third one when the validation is configurable (strictness level). Keep in mind that this option requires updating the package-spec: https://github.com/elastic/package-spec/

[adriansr]

@mtojek can you have another look?

[mtojek]

just a short one about the clean code

[mtojek]

LGTM
nit: it would be nice to describe this feature in the howto docs (not blocking this PR)