Specify multiple ingest pipelines for a data stream

[ruflin]

With the new indexing strategy, data sent from the Elastic Agent to Elasticsearch does not specify the ingest pipeline on the request, but each data stream already contains the ingest pipeline as setting. Currently we use index.default_pipeline but are thinking about also using index.final_pipeline for some final processing of the events. In some cases multiple pipeline are attached together with the pipeline processor. There are two use cases here:

• "Routing" ingest pipeline that selects the correct pipeline for processing (json vs text for example)
• Multiple pipelines connected together

The use cases around connecting multiple pipelines together I want to dive deeper here. In Ingest Manager we have at least three potential use cases for attaching multiple pipelines together:

• Reuse same pipeline in multiple places
• Let user inject their own enrichment pipeline
• Multiple teams want to add their own final ingest pipeline bits

Instead of ingest manager trying to modify the ingest pipelines to add multiple ingest pipelines together it would be nice if Elasticsearch would support an array of ingest pipelines and execute them in the order defined. Something like:

index.default_pipelines
- "pipeline1"
- "pipeline2"

The above would allow us to add a pipeline3 without having to modify the pipeline itself but only the settings. The same logic would apply to the final_pipelines so multiple teams could add their own final pipeline without conflicting with each other.

The above might also help with #57968. The discussion here is what happens if the target data stream changes. With the above, I would expect that the pipelines are just added to the list and all of them are executed.

[elasticmachine]

Pinging @elastic/es-core-features (:Core/Features/Ingest)

[mbudge]

Good idea but also for normal indexes too.

The pipelines are too restrictive at the moment.

Beats is hogging the default pipeline forcing us to stick with logstash...

[cutler-scott-newrelic]

We would love to see this as well, as different teams may own different parts of the data ingest pipeline depending on the context.

[felixbarny]

The above would allow us to add a pipeline3 without having to modify the pipeline itself but only the settings.

Why is that desirable? IMHO, this increases complexity as there are two ways to change the pipelines then: the index settings and the ingest pipeline itself. In the stack management section of Kibana, there’s already good support for inspecting and editing pipelines. Having only one default pipeline per index seems less complex and easier to reason about.

Also, when adding a default pipeline to a list of default pipelines, you’ll have to remember that not only the index settings of all active indices have to be changed but also the index templates.

To me, it seems we have all the building block that we need to specify multiple ingest pipelines: the pipeline processor, processor tags to identify a processor within a pipeline, and optimistic concurrency control.

All problems in computer science can be solved by another level of indirection
- Butler Lampson

Currently, Fleet integrations add their main processing pipeline directly to the index.default_pipeline setting. Instead of that, it could create a pipeline with a name that’s stable across versions of the integration and which users are free to customize. By default, it has one pipeline processor that delegates to the main processing pipeline of the integration.

When the integration gets updated because of a new version, Fleet modifies the existing pipeline by changing the pipeline processor that has a specific tag which identifies it as the pipeline processor that’s managed by Fleet. When doing so, Fleet should use concurrency control mechanisms to make sure the pipeline hasn’t been modified in the meantime.

When making changes to the default pipeline of an index, neither users nor Fleet have to worry about updating the index.default_pipeline setting of existing indices and the index template. That’s because the indices still invoke the same pipeline. Just the content of the pipeline changes.

Click to expand example

# User installs foo integration and fleet creates a default ingest pipeline for the index template logs-foo-*
DELETE _ingest/pipeline/logs-foo
PUT _ingest/pipeline/logs-foo
{
  "version": 1, 
  "processors": [
    {
      "pipeline": {
        "tag": "logs-foo", 
        "name": "logs-foo-1.0.0"
      }
    }
  ]
}

# User adds custom pipeline
PUT _ingest/pipeline/logs-foo?if_version=1
{
  "processors": [
    {
      "pipeline": {
        "tag": "logs-foo", 
        "name": "logs-foo-1.0.0"
      }
    },
    {
      "pipeline": {
        "name": "custom"
      }
    }
  ]
}

# Fleet updates version integration
PUT _ingest/pipeline/logs-foo?if_version=2
{
  "processors": [
    {
      "pipeline": {
        "tag": "logs-foo", 
        "name": "logs-foo-1.1.0"
      }
    },
    {
      "pipeline": {
        "name": "custom"
      }
    }
  ]
}

To simplify the get-edit-put pattern when modifying pipelines, we could think of a convenience API in Elasticsearch: It would let you put/upsert or delete a processor with a given tag in an existing pipeline. The API would also take care of re-trying in case of concurrent modifications. A small caveat is that processor tags aren’t strictly unique.

cc @joshdover

[ruflin]

One part that is important from a Fleet perspective is that we have clear separation on what parts users can edit and what parts not. Ideally we would have read only pipelines in Elasticsearch that a user could not even modify.

I think both the settings and the processors approach proposed by @felixbarny are not ideal as there is a part that is touched by Fleet and the users which can lead to accidents and unexpected changes.

To simplify the get-edit-put pattern when modifying pipelines, we could think of a convenience API in Elasticsearch: It would let you put/upsert or delete a processor with a given tag in an existing pipeline. The API would also take care of re-trying in case of concurrent modifications. A small caveat is that processor tags aren’t strictly unique.

Such an API seems to be key to me no matter if we select the processors or the settings approach.

My personal preference is still on supporting multiple pipelines. It would allow package developers to split up very long pipelines into multiple chunks instead of having one very long pipeline. Also it allows to refer other pipelines. This is all possible with the pipelines processors too but it means custom logic is required in Fleet during installation time to put together the right "root" pipeline.

One thing we need to be careful about is upgrades. The data stream naming scheme and Fleet have a strict order in which upgrades must happen. There is a version number on the pipeline because new pipeline and mappings must be applied at the same time. So at first the pipeline is added, then the template is updated and then the new mapping and setting applied to the index. This is all not atomic so there is a chance, that a rollover could happen in the middle which means if there is no version on the pipeline, new mappings are not there yet and ingestion stops.