[ML] Get categories endpoint to use ECS Grok patterns by edsavage · Pull Request #89386 · elastic/elasticsearch

edsavage · 2022-08-16T12:39:05Z

Change the Grok pattern creator for _ml/anomaly_detectors/<job_id>/results/categories to always use ECS Grok patterns

Change the Grok pattern creator for _ml/anomaly_detectors/<job_id>/results/categories to always use ECS Grok patterns relates elastic#77065

elasticsearchmachine · 2022-08-16T12:39:29Z

Pinging @elastic/ml-core (Team:ML)

edsavage · 2022-08-16T12:50:46Z

Tested with e.g. apache_access formatted logs:

With legacy Grok patterns:

  "categories" : [
    {
      "job_id" : "categories_apache_access_log",
      "category_id" : 1,
      "terms" : "GET Mozilla/5.0 Macintosh Intel Mac OS X KHTML like Gecko",
      "regex" : """.*?GET.+?Mozilla/5\.0.+?Macintosh.+?Intel.+?Mac.+?OS.+?X.+?KHTML.+?like.+?Gecko.*""",
      "max_matching_length" : 552,
      "examples" : [
        "83.149.9.216 - - [17/May/2015:10:05:00 +0000] \"GET /presentations/logstash-monitorama-2013/images/redis.png HTTP/1.1\" 200 25230 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
        "83.149.9.216 - - [17/May/2015:10:05:03 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
        "83.149.9.216 - - [17/May/2015:10:05:07 +0000] \"GET /presentations/logstash-monitorama-2013/plugin/notes/notes.js HTTP/1.1\" 200 2892 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
        "83.149.9.216 - - [17/May/2015:10:05:11 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-dashboard2.png HTTP/1.1\" 200 394967 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\""
      ],
      "grok_pattern" : """.*?%{IP:ipaddress}.+?%{HTTPDATE:timestamp}.+?GET.+?%{PATH:path}.+?%{NUMBER:field}.*?%{QUOTEDSTRING:field2}.*?%{URI:uri}.*?%{PATH:path2}.*?%{QUOTEDSTRING:field3}.*?Mozilla/5\.0.+?Macintosh.+?Intel.+?Mac.+?OS.+?X.+?%{NUMBER:field4}.+?KHTML.+?like.+?Gecko.+?%{NUMBER:field5}.*""",
      "preferred_to_categories" : [
        8,
        36
      ],
      "num_matches" : 894,
      "result_type" : "category_definition",
      "mlcategory" : "1"
    },

with ECS Grok patterns

    {
      "job_id" : "categories_apache_access_log",
      "category_id" : 1,
      "terms" : "GET Mozilla/5.0 Macintosh Intel Mac OS X KHTML like Gecko",
      "regex" : """.*?GET.+?Mozilla/5\.0.+?Macintosh.+?Intel.+?Mac.+?OS.+?X.+?KHTML.+?like.+?Gecko.*""",
      "max_matching_length" : 552,
      "examples" : [
        "83.149.9.216 - - [17/May/2015:10:05:00 +0000] \"GET /presentations/logstash-monitorama-2013/images/redis.png HTTP/1.1\" 200 25230 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
        "83.149.9.216 - - [17/May/2015:10:05:03 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-search.png HTTP/1.1\" 200 203023 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
        "83.149.9.216 - - [17/May/2015:10:05:07 +0000] \"GET /presentations/logstash-monitorama-2013/plugin/notes/notes.js HTTP/1.1\" 200 2892 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\"",
        "83.149.9.216 - - [17/May/2015:10:05:11 +0000] \"GET /presentations/logstash-monitorama-2013/images/kibana-dashboard2.png HTTP/1.1\" 200 394967 \"http://semicomplete.com/presentations/logstash-monitorama-2013/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77 Safari/537.36\""
      ],
      "grok_pattern" : """.*?%{IP:ipaddress}.+?%{HTTPDATE:timestamp}.+?GET.+?%{PATH:path}.+?%{NUMBER:field}.*?%{QUOTEDSTRING:field2}.*?%{URI:url.original}.*?%{PATH:path2}.*?%{QUOTEDSTRING:field3}.*?Mozilla/5\.0.+?Macintosh.+?Intel.+?Mac.+?OS.+?X.+?%{NUMBER:field4}.+?KHTML.+?like.+?Gecko.+?%{NUMBER:field5}.*""",
      "preferred_to_categories" : [
        8,
        36
      ],
      "num_matches" : 894,
      "result_type" : "category_definition",
      "mlcategory" : "1"
    },

(Note the URI capture field has changed from uri to url.original)

And with elasticsearch logs:

Legacy Grok patterns:

    {
      "job_id" : "categorize_es_loglevel",
      "category_id" : 32,
      "terms" : "INFO o.e.c.m.MetadataIndexTemplateService Eds-MacBook-Pro.local adding index template for index patterns",
      "regex" : ".*?template.+?for.+?index.+?patterns.*",
      "max_matching_length" : 228,
      "examples" : [
        "[2022-08-15T10:41:55,338][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [.watch-history-16] for index patterns [.watcher-history-16*]",
        "[2022-08-15T10:41:55,341][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [.slm-history] for index patterns [.slm-history-5*]",
        "[2022-08-15T10:41:55,343][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [ilm-history] for index patterns [ilm-history-5*]",
        "[2022-08-15T10:41:55,368][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [.monitoring-beats-mb] for index patterns [.monitoring-beats-8-*]"
      ],
      "grok_pattern" : ".*?%{TIMESTAMP_ISO8601:timestamp}.+?%{LOGLEVEL:loglevel}.+?template.+?for.+?index.+?patterns.*",
      "num_matches" : 23,
      "result_type" : "category_definition",
      "mlcategory" : "32"
    },

ECS Grok patterns:

    {
      "job_id" : "categorize_es_loglevel",
      "category_id" : 32,
      "terms" : "INFO o.e.c.m.MetadataIndexTemplateService Eds-MacBook-Pro.local adding index template for index patterns",
      "regex" : ".*?template.+?for.+?index.+?patterns.*",
      "max_matching_length" : 228,
      "examples" : [
        "[2022-08-15T10:41:55,338][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [.watch-history-16] for index patterns [.watcher-history-16*]",
        "[2022-08-15T10:41:55,341][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [.slm-history] for index patterns [.slm-history-5*]",
        "[2022-08-15T10:41:55,343][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [ilm-history] for index patterns [ilm-history-5*]",
        "[2022-08-15T10:41:55,368][INFO ][o.e.c.m.MetadataIndexTemplateService] [Eds-MacBook-Pro.local] adding index template [.monitoring-beats-mb] for index patterns [.monitoring-beats-8-*]"
      ],
      "grok_pattern" : ".*?%{TIMESTAMP_ISO8601:timestamp}.+?%{LOGLEVEL:log.level}.+?template.+?for.+?index.+?patterns.*",
      "num_matches" : 23,
      "result_type" : "category_definition",
      "mlcategory" : "32"
    },

(Note the LOGLEVEL capture field has been renamed from loglevel to log.level)

droberts195 · 2022-08-16T13:36:07Z

.../ml/src/test/java/org/elasticsearch/xpack/ml/job/categorization/GrokPatternCreatorTests.java

+        // For ECS compliant Grok patterns TOMCAT_DATESTAMP is defined as:
+        // TOMCAT_DATESTAMP (?:%{CATALINA8_DATESTAMP})|(?:%{CATALINA7_DATESTAMP})|(?:%{TOMCATLEGACY_DATESTAMP})
+        // and since the timestamps in the example messages are in CATALINA7_DATESTAMP format, TOMCAT_DATESTAMP, being at the
+        // front of our ORDERED_CANDIDATE_GROK_PATTERNS list, matches.


I think a better way to fix this is to change ORDERED_CANDIDATE_GROK_PATTERNS to have TOMCATLEGACY_DATESTAMP first instead of TOMCAT_DATESTAMP.

Patterns that try multiple options are slower to match, and it seems like this old Tomcat format is really ancient as the person who updated the Grok patterns to ECS format couldn't find an example.

This discovery also has implications for the TimestampFormatFinder class. That should also be changed to swap out TOMCAT_DATESTAMP for TOMCATLEGACY_DATESTAMP when ECS compatibility is set to v1 - please open a separate PR for that.

droberts195

LGTM

[ML] categpries endpoint to use ECS Grok patterns

76907a8

Change the Grok pattern creator for _ml/anomaly_detectors/<job_id>/results/categories to always use ECS Grok patterns relates elastic#77065

edsavage added >enhancement :ml Machine learning Team:ML Meta label for the ML team v8.5.0 labels Aug 16, 2022

droberts195 changed the title ~~[ML] categories endpoint to use ECS Grok patterns~~ [ML] Get categories endpoint to use ECS Grok patterns Aug 16, 2022

droberts195 reviewed Aug 16, 2022

View reviewed changes

Attend to review comments

e356fff

droberts195 approved these changes Aug 16, 2022

View reviewed changes

edsavage merged commit fd9473a into elastic:main Aug 16, 2022

droberts195 mentioned this pull request Aug 16, 2022

[ML] Switch to ECS Grok patterns in text structure finder and categorization #77065

Closed

4 tasks

edsavage mentioned this pull request Aug 17, 2022

[ML] Performance improvements related to ECS Grok pattern usage #89424

Merged

edsavage deleted the ecs_grok_patterns_categories branch November 6, 2023 09:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ML] Get categories endpoint to use ECS Grok patterns#89386

[ML] Get categories endpoint to use ECS Grok patterns#89386
edsavage merged 2 commits intoelastic:mainfrom
edsavage:ecs_grok_patterns_categories

edsavage commented Aug 16, 2022

Uh oh!

elasticsearchmachine commented Aug 16, 2022

Uh oh!

edsavage commented Aug 16, 2022

Uh oh!

droberts195 Aug 16, 2022

Uh oh!

droberts195 left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

edsavage commented Aug 16, 2022

Uh oh!

elasticsearchmachine commented Aug 16, 2022

Uh oh!

edsavage commented Aug 16, 2022

Uh oh!

droberts195 Aug 16, 2022

Choose a reason for hiding this comment

Uh oh!

droberts195 left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants