Skip to content

Enhance Azure platformlogs ingest pipeline for function app logs#14926

Merged
kaiyan-sheng merged 7 commits intoelastic:mainfrom
kaiyan-sheng:platformlogs
Aug 14, 2025
Merged

Enhance Azure platformlogs ingest pipeline for function app logs#14926
kaiyan-sheng merged 7 commits intoelastic:mainfrom
kaiyan-sheng:platformlogs

Conversation

@kaiyan-sheng
Copy link
Copy Markdown

@kaiyan-sheng kaiyan-sheng commented Aug 13, 2025
edited
Loading

Proposed commit message

When user trying to ingest function app logs using our azure integration, @timestamp field is missing. After testing with the sample log, I found several issues with the new log format:

  • Invalid JSON in properties field: the log contains a properties field that is a string with single quotes
  • Date format parsing failure: The pipeline previously failed to set the @timestamp field for logs using the M/d/yyyy H:mm:ss date format. The date processor has been updated to include this format.
  • Undefined fields: several new fields are introduced in this log type like EventIpAddress and EventStampName.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test it locally

elastic-package stack up -d --services=elasticsearch
cd packages/azure
elastic-package test pipeline --data-streams platformlogs

and we will get:

kaiyansheng ~/go/src/github.com/elastic/integrations/packages/azure [platformlogs] $ elastic-package test pipeline --data-streams platformlogs
2025/08/14 11:02:38  WARN CommitHash is undefined, in both /Users/kaiyansheng/.elastic-package/version and the compiled binary, config may be out of date.
Run pipeline tests for the package
--- Test results for package: azure - START ---
╭─────────┬──────────────┬───────────┬───────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM  │ TEST TYPE │ TEST NAME                                                         │ RESULT │ TIME ELAPSED │
├─────────┼──────────────┼───────────┼───────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-edgecases.log)        │ PASS   │ 861.473875ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-functionapp.log)      │ PASS   │ 860.339917ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-identity-raw.log)     │ PASS   │ 795.450666ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-identity.log)         │ PASS   │    798.341ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-invalid-json-raw.log) │ PASS   │ 821.740541ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-invalid-raw.log)      │ PASS   │ 817.182375ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-kube.log)             │ PASS   │ 757.030958ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-raw.log)              │ PASS   │ 762.386958ms │
│ azure   │ platformlogs │ pipeline  │ (ingest pipeline warnings test-platformlogs-remote-raw.log)       │ PASS   │ 786.850416ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-edgecases.log                                   │ PASS   │  45.357834ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-functionapp.log                                 │ PASS   │     42.781ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-identity-raw.log                                │ PASS   │   39.91325ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-identity.log                                    │ PASS   │     40.639ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-invalid-json-raw.log                            │ PASS   │  41.938292ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-invalid-raw.log                                 │ PASS   │  45.033541ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-kube.log                                        │ PASS   │  40.893083ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-raw.log                                         │ PASS   │  41.189667ms │
│ azure   │ platformlogs │ pipeline  │ test-platformlogs-remote-raw.log                                  │ PASS   │  39.390375ms │
╰─────────┴──────────────┴───────────┴───────────────────────────────────────────────────────────────────┴────────┴──────────────╯

@kaiyan-sheng kaiyan-sheng requested a review from a team as a code owner August 13, 2025 23:32
@kaiyan-sheng kaiyan-sheng self-assigned this Aug 13, 2025
@kaiyan-sheng kaiyan-sheng requested review from a team as code owners August 13, 2025 23:36
@kaiyan-sheng kaiyan-sheng added the Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] label Aug 13, 2025
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Aug 14, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

gizas
gizas reviewed Aug 14, 2025
View reviewed changes
packages/azure/data_stream/platformlogs/_dev/test/pipeline/test-platformlogs-functionapp.log
@@ -0,0 +1 @@
{ "properties": "{'appName':'test','roleInstance':'abc','message':'Test 2025-07-17T03:26:03.3543455Z.','category':'Function.timerTriggerFileInput.User','hostVersion':'4.1041.200.1','functionInvocationId':'809a97a9','functionName':'timerTriggerFileInput','hostInstanceId':'4bfe6a4e','level':'Information','levelId':2,'processId':27}", "time": "08/06/2025 14:26:04", "resourceId": "/SUBSCRIPTIONS/123456789/RESOURCEGROUPS/A/PROVIDERS/MICROSOFT.WEB/SITES/test", "level": "Informational", "category": "FunctionAppLogs", "operationName": "Microsoft.Web/sites/functions/log", "location": "brazilsouth", "EventStampType": "Stamp", "EventPrimaryStampName": "waws-prod-cq1-041", "EventStampName": "waws-prod-cq1-041", "Host": "ln0sdlwk000CYU", "EventIpAddress": "10.80.0.14"}
Copy link
Copy Markdown
Contributor

@gizas gizas Aug 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just noticed the single quotes in this original log.
So those are not like https://github.com/elastic/integrations/blob/main/packages/awsfirehose/data_stream/logs/_dev/test/pipeline/test-apigateway-log.json#L8 with '"' . So for example to have "appName"

Sorry for this comment, just saying if it worths to update in case sth is hidden

Copy link
Copy Markdown
Contributor

@zmoog zmoog Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, Functions logs are one of the Azure log categories that contain invalid JSON.

Copy link
Copy Markdown
Author

@kaiyan-sheng kaiyan-sheng Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is one of the problem in this function log sample. I guess unfortunately we have to deal with it.

gizas
gizas approved these changes Aug 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@gizas gizas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

zmoog
zmoog approved these changes Aug 14, 2025
View reviewed changes
packages/azure/data_stream/platformlogs/elasticsearch/ingest_pipeline/default.yml
Comment on lines +57 to +85
- set:
field: temp_properties
value: '{{azure.platformlogs.properties}}'
if: "ctx.azure?.platformlogs?.properties instanceof String"
target_field: azure.platformlogs.properties.raw
ignore_failure: true
description: 'Temporarily store the properties string.'
- remove:
field: azure.platformlogs.properties
if: "ctx.temp_properties != null"
ignore_missing: true
description: 'Remove the properties string field.'
- script:
lang: painless
source: >-
if (ctx?.temp_properties != null) {
ctx.temp_properties = ctx.temp_properties.replace("'", "\"");
}
ignore_failure: true
description: 'Convert single quotes to double quotes in the properties string to make it valid JSON.'
- json:
field: temp_properties
target_field: azure.platformlogs.properties
if: "ctx.temp_properties != null"
ignore_failure: true
description: 'Parse the stringified JSON properties field into a nested object.'
- remove:
field: temp_properties
ignore_missing: true
description: 'Rename the field to `properties.raw` to avoid parse errors with the `properties` containing a string.'
description: 'Remove the temporary field after successful parsing.'
Copy link
Copy Markdown
Contributor

@zmoog zmoog Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here we're assuming that if properties is a string, it contains an embedded JSON document.

By replacing single-quotes with double-quotes, there's a non-zero risk of corrupting the string. I searched through test documents in Beats, integrations, and my archive of user cases: I only found strings with embedded JSON documents.

The benefits probably outweigh the minor risk.

Copy link
Copy Markdown
Author

@kaiyan-sheng kaiyan-sheng Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I agree! Maybe we will revisit if edge cases happen 🤔

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:azure Azure Logs Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] labels Aug 14, 2025
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Aug 14, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

ShourieG
ShourieG approved these changes Aug 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@ShourieG ShourieG left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CODEOWNER Review

muthu-mps
muthu-mps reviewed Aug 14, 2025
View reviewed changes
packages/azure/data_stream/platformlogs/fields/fields.yml Outdated
description: >
Result description

- name: EventIpAddress
Copy link
Copy Markdown
Contributor

@muthu-mps muthu-mps Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need EventIpAddress and Host declaration in fields.yml? As these fields are already renamed here.

Copy link
Copy Markdown
Author

@kaiyan-sheng kaiyan-sheng Aug 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch! Let me check! Thanks!!

muthu-mps
muthu-mps approved these changes Aug 14, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@muthu-mps muthu-mps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left comment on fields.yml, change looks good to me otherwise!

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Aug 14, 2025

💚 Build Succeeded

History

cc @kaiyan-sheng

@elastic-sonarqube
Copy link
Copy Markdown

elastic-sonarqube bot commented Aug 14, 2025

Quality Gate failed Quality Gate failed

Failed conditions
53.5% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

@kaiyan-sheng kaiyan-sheng merged commit 97c5d11 into elastic:main Aug 14, 2025
8 of 9 checks passed
@kaiyan-sheng kaiyan-sheng deleted the platformlogs branch August 14, 2025 17:59
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Aug 14, 2025

Package azure - 1.28.2 containing this change is available at https://epr.elastic.co/package/azure/1.28.2/

robester0403 pushed a commit to robester0403/integrations that referenced this pull request Aug 14, 2025
@robester0403
Enhance Azure platformlogs ingest pipeline for function app logs (ela…
91ba499 
…stic#14926)
@andrewkroh andrewkroh added the bugfix Pull request that fixes a bug issue label Sep 3, 2025
@devamanv devamanv mentioned this pull request Oct 8, 2025
Merged
8 tasks
tehbooom pushed a commit to tehbooom/integrations that referenced this pull request Nov 19, 2025
Enhance Azure platformlogs ingest pipeline for function app logs (ela…
3a98f2d 
…stic#14926)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmoog zmoog zmoog approved these changes

@gizas gizas gizas approved these changes

@muthu-mps muthu-mps muthu-mps approved these changes

@ShourieG ShourieG ShourieG approved these changes

Assignees

@kaiyan-sheng kaiyan-sheng

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:azure Azure Logs Team:obs-ds-hosted-services Observability Hosted Services team [elastic/obs-ds-hosted-services] Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@kaiyan-sheng @elasticmachine @zmoog @gizas @muthu-mps @ShourieG @andrewkroh