[aws, blacklens, github, microsoft_sentinel] Conflicting event.kind values in constant_keyword fields

[andrewkroh]

The following data streams define event.kind as a constant_keyword field but attempt to set it to conflicting values within their ingest pipelines. This configuration will cause indexing errors because constant_keyword fields must have a single, immutable value for all documents in the index.

Summary of Issues

• Fixed Value Conflict: The field definition explicitly sets a constant value (e.g., alert), but the ingest pipeline sets it to a different value (e.g., pipeline_error) during error handling or other conditional logic.
• Multiple Value Conflict: The field definition is constant_keyword but does not specify a value (meaning the first indexed document sets the constant for the index). However, the pipeline sets the field to multiple different values (e.g., state normally, but pipeline_error on failure), ensuring that one of those cases will fail to index.

Affected Data Streams

Package	Data Stream	Field Definition	Conflicting Pipeline Processor
aws	securityhub_findings_full_posture	fields/ecs.yml:4 (value: unset)	default.yml:18 (sets state) default.yml:2668 (sets pipeline_error)
blacklens	alerts	fields/ecs.yml:2 (value: alert)	default.yml:99 (sets pipeline_error)
github	code_scanning	fields/ecs.yml:2 (value: alert)	default.yml:287 (sets pipeline_error)
github	dependabot	fields/ecs.yml:2 (value: alert)	default.yml:318 (sets pipeline_error)
github	issues	fields/ecs.yml:2 (value: event)	default.yml:250 (sets pipeline_error)
github	secret_scanning	fields/ecs.yml:2 (value: alert)	default.yml:300 (sets pipeline_error)
microsoft_sentinel	alert	fields/ecs.yml:2 (value: alert)	default.yml:457 (sets pipeline_error)
microsoft_sentinel	event	fields/ecs.yml:2 (value: alert)	default.yml:451 (sets pipeline_error)
microsoft_sentinel	incident	fields/ecs.yml:2 (value: alert)	default.yml:455 (sets pipeline_error)

NOTE: websphere_application_server also uses contstant_keyword for event.kind, but does not set it to multiple values (only metric).

Detection

Details

Execute this sqlite query against the pre-build database from go-package-spec.

SELECT p.name                                                         AS package_name,
       ds.dir_name                                                    AS data_stream_name,
       f.name                                                         AS field_name,
       f.value                                                        AS defined_constant,
       GROUP_CONCAT(DISTINCT
                    json_extract(pro.attributes, '$.value'))          AS pipeline_values
FROM data_streams ds
         JOIN packages p ON ds.packages_id = p.id
         JOIN data_stream_fields dsf ON ds.id = dsf.data_stream_id
         JOIN fields f ON dsf.field_id = f.id
         JOIN ingest_pipelines ip ON ds.id = ip.data_streams_id
         JOIN ingest_processors pro ON ip.id = pro.ingest_pipelines_id
WHERE f.type = 'constant_keyword'
  AND pro.type IN ('set', 'append')
  AND json_extract(pro.attributes, '$.field') = f.name
GROUP BY ds.id, f.id
HAVING
-- Conflict 1: Pipeline sets a value different from the defined constant
    (defined_constant IS NOT NULL AND pipeline_values != defined_constant)
-- Conflict 2: Pipeline sets multiple distinct values for a constant field (even if defined_constant is null)
    OR (COUNT(DISTINCT json_extract(pro.attributes, '$.value')) > 1);

package_name	data_stream_name	field_name	defined_constant	pipeline_values
blacklens	alerts	event.kind	alert	pipeline_error
azure	platformlogs	event.dataset	azure.platformlogs	azure.springcloudlogs
aws	securityhub_findings_full_posture	event.kind	null	state,pipeline_error
github	issues	event.kind	event	pipeline_error
github	secret_scanning	event.kind	alert	pipeline_error
github	code_scanning	event.kind	alert	pipeline_error
github	dependabot	event.kind	alert	pipeline_error
microsoft_sentinel	alert	event.kind	alert	pipeline_error
microsoft_sentinel	event	event.kind	alert	pipeline_error
microsoft_sentinel	incident	event.kind	alert	pipeline_error

NOTE: azure.platformlogs has this problem with the event.dataset field, but it is resetting event.dataset before rerouting so it is a benign issue.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

Claude finished @andrewkroh's task in 4m 30s —— View job

---

Recommendation

Remove the set event.kind = pipeline_error from all error handlers in the affected pipelines. The constant_keyword field type is incompatible with dynamic value assignment - once a constant value is set (either explicitly in the mapping or by the first indexed document), any document with a different value will fail to index.

Findings

Root Cause

The affected data streams define event.kind with type: constant_keyword in their field definitions but their ingest pipelines attempt to set event.kind = pipeline_error during error handling. This is a fundamental conflict:

1. constant_keyword fields are optimized for cases where all documents in an index share the same value. The constant value is stored once in the index metadata, not per-document.

2. When value is set in mapping (e.g., value: alert): Any document attempting to set a different value will cause an indexing error.

3. When value is unset in mapping (like aws/securityhub_findings_full_posture): The first indexed document establishes the constant for the entire index. If the first document is state and a subsequent error document tries to set pipeline_error, it will fail to index.

Pattern Analysis

Package	Field Definition	Pipeline Behavior
blacklens/alerts	value: alert	Sets pipeline_error in global on_failure
github/ (4 data streams)	value: alert or event	Sets pipeline_error in global on_failure
microsoft_sentinel/ (3 data streams)	value: alert	Sets pipeline_error both conditionally AND in global on_failure
aws/securityhub_findings_full_posture	Value unset	Sets state normally, pipeline_error in on_failure

Correct Pattern in Repository

Many integrations in this repository correctly handle errors without modifying event.kind:

• crowdstrike/falcon: Uses external: ecs for event.kind (regular keyword type)
• github/security_advisories: Does NOT define event.kind as constant_keyword, allowing pipeline_error to be set

The on_failure handler should only append to error.message and tags (to preserve original event), not modify event.kind when it's defined as a constant_keyword.

Detailed Action Plan

For each affected data stream, apply one of two fixes based on the use case:

Option A: Remove event.kind modification from error handlers (Recommended)

This is the simpler fix that preserves the constant_keyword optimization:

1. blacklens/alerts - packages/blacklens/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml:99-101

   • Remove the set processor that sets event.kind: pipeline_error

2. github/code_scanning - packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml:287-289

   • Remove the set processor that sets event.kind: pipeline_error

3. github/dependabot - packages/github/data_stream/dependabot/elasticsearch/ingest_pipeline/default.yml:318-320

   • Remove the set processor that sets event.kind: pipeline_error

4. github/issues - packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml:250-252

   • Remove the set processor that sets event.kind: pipeline_error

5. github/secret_scanning - packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml:300-302

   • Remove the set processor that sets event.kind: pipeline_error

6. microsoft_sentinel/alert - packages/microsoft_sentinel/data_stream/alert/elasticsearch/ingest_pipeline/default.yml:457-461

   • Remove both: the conditional set processor (lines 457-461) AND the one in on_failure section

7. microsoft_sentinel/event - packages/microsoft_sentinel/data_stream/event/elasticsearch/ingest_pipeline/default.yml:451-455

   • Remove the conditional set processor

8. microsoft_sentinel/incident - packages/microsoft_sentinel/data_stream/incident/elasticsearch/ingest_pipeline/default.yml:455-459

   • Remove the conditional set processor

9. aws/securityhub_findings_full_posture - packages/aws/data_stream/securityhub_findings_full_posture/elasticsearch/ingest_pipeline/default.yml:2668-2670

   • Remove the set processor that sets event.kind: pipeline_error

Option B: Change field type to regular keyword

If distinguishing pipeline_error events is important for operational purposes:

1. Change type: constant_keyword to external: ecs in each fields/ecs.yml
2. Ensure the pipeline explicitly sets event.kind to the correct value (e.g., alert, event, state) at the beginning
3. Keep the error handler that sets event.kind: pipeline_error

Tradeoff: Option B loses the storage/query optimization of constant_keyword but provides operational visibility into pipeline errors.

Testing

After making changes:

1. Run elastic-package check in each affected package directory
2. Run elastic-package test to validate ingest pipeline behavior
3. Verify that documents index successfully both normally and during error conditions

Related Issues and Pull Requests

Repository	Issue or PR	Relevance
elastic/integrations	Issue #6582 - ensure packages set error.kind to "pipeline_error"	Historical context - this issue drove the addition of event.kind = pipeline_error patterns, but didn't account for constant_keyword conflicts
elastic/integrations	PR #6613 - c*: ensure event.kind is correctly set for pipeline errors	Example of how this pattern was propagated across integrations
elastic/integrations	PR #6616 - [hi]*: ensure event.kind is correctly set for pipeline errors	Part of the same effort that introduced this conflict

Related Files

Repository	File	Relevance	Sections
elastic/integrations	blacklens/alerts/fields/ecs.yml	Defines event.kind as constant_keyword with value alert	L2-4
elastic/integrations	blacklens/alerts/default.yml	Sets event.kind: pipeline_error in on_failure	L99-101
elastic/integrations	github/code_scanning/fields/ecs.yml	Defines event.kind as constant_keyword with value alert	L2-4
elastic/integrations	aws/securityhub_findings_full_posture/fields/ecs.yml	Defines event.kind as constant_keyword without explicit value	L4-5
elastic/integrations	crowdstrike/falcon/fields/ecs.yml	Example of correct pattern using external: ecs	L8-9

Related Webpages

Name	URL	Relevance
Elasticsearch Keyword Field Types	https://www.elastic.co/guide/en/elasticsearch/reference/current/keyword.html	Documents constant_keyword field type behavior and constraints
Elasticsearch Error Handling	https://www.elastic.co/docs/manage-data/ingest/transform-enrich/error-handling	Best practices for pipeline error handling

---

Why is Claude responding? | Type @claude to interact further

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[andrewkroh]

In #17562, efd6 raised the issue of constant_keyword event.kind in the github transforms. This is definitely are problem too. We should be filtering (excluding) event.kind:pipeline_error from the latest_* indices via a source query. IMO we don't want the latest value to be an error. We might as well change the type there too for consistency.