Adding the following event (obtained from the winlogbeat top half pipeline) to test inputs results in a failure:
{
"@timestamp": "2020-05-15T08:33:26.393089Z",
"event": {
"action": "Pipeline Execution Details",
"code": "800",
"kind": "event",
"provider": "PowerShell"
},
"host": {
"name": "vagrant"
},
"log": {
"level": "information"
},
"message": "Pipeline execution details for command line: . \n\nContext Information: \n\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine= \n\nDetails: \nCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"",
"winlog": {
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_data": {
"param2": "\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=",
"param3": "ParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\""
},
"event_id": "800",
"keywords": [
"Classic"
],
"opcode": "Info",
"provider_name": "PowerShell",
"record_id": 1847,
"task": "Pipeline Execution Details"
}
}
FAILURE DETAILS:
windows/powershell test-events.json:
[0] unexpected pipeline error: [scripting] Regular expression considered too many characters, pattern: [^(.+)\\((.+)\\)\\:\\s*(.+)?$], limit factor: [6], char limit: [1470], count: [1471], wrapped: [ParameterBinding(Out-Default): name=\"InputObject\"; value=\"Can...], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting
╭─────────┬─────────────┬───────────┬──────────────────┬─────────────────────────────────────────────────────────────────────────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼─────────────┼───────────┼──────────────────┼─────────────────────────────────────────────────────────────────────────────┼──────────────┤
│ windows │ powershell │ pipeline │ test-events.json │ FAIL: test case failed: one or more problems with fields found in documents │ 17.476801ms │
╰─────────┴─────────────┴───────────┴──────────────────┴─────────────────────────────────────────────────────────────────────────────┴──────────────╯
Adding the following event (obtained from the winlogbeat top half pipeline) to test inputs results in a failure:
Related to elastic/beats#31833.