rapid7_insightvm: use terminate function to stop pagination in HTTPJSON templates

[navnit-elastic]

Proposed commit message

rapid7_insightvm: use terminate function to stop pagination in HTTPJSON templates

Previously, it relied on a template error to stop pagination, which resulted in
the fleet's health status changing to degraded.

The "terminate" processor is available starting from stack version 8.19.3 and 9.1.3.
Reference: https://github.com/elastic/beats/pull/45810.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• Relates [LogsDB] [Subscription basic] [rapid7_insightvm] Failing test daily: system test: (elastic-agent logs - default) in rapid7_insightvm.asset #14330
• Relates [Subscription basic] [rapid7_insightvm] Failing test daily: system test: (elastic-agent logs - default) in rapid7_insightvm.asset #14301

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 4bab472

cc @navnit-elastic

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

I think this needs assert.hit_count in the system tests (looking at this, I'm not sure that the tests would actually pass in the old state; AFAICS there should be 3 events in the assets test and 7 for the vulnerability test; but they give only 2 each).

With this change, in the assets data stream, I see

2025/08/29 18:01:48 DEBUG found 0 hits in logs-rapid7_insightvm.asset-38517 data stream
2025/08/29 18:01:49 DEBUG found 1300 hits in logs-rapid7_insightvm.asset-38517 data stream
2025/08/29 18:01:53 DEBUG found 6913 hits in logs-rapid7_insightvm.asset-38517 data stream

(in the vulnerability stream, it stays at 2)

[navnit-elastic]

Hi @efd6, by looking at the agent logs, It appears that the template execution is not getting terminated when it should be. The message template execution terminated appears multiple time in logs. Did I make the correct use of the terminate function?

[efd6]

@navnit-elastic The terminate helper prevents any error from being emitted, so the pagination will not stop. It terminates the evaluation of the template, nothing else. The option that is needed here is ignore_empty_value, but this is only on the cursor assignment templates. I do not think we have a way of suppressing the same thing when the destination is not the cursor.

[navnit-elastic]

Thanks @efd6 for the clarification, The confusion is arises from the template error and fleet health status being degraded (which is the root cause of flaky tests failures) representing different aspects.
We need a way to stop pagination without updating the fleet health status to degraded, which I believe be addressed after PR elastic/beats#46332 is merged. This PR should be closed.

[efd6]

Yeah. When the fix in beats is merged, the fix here becomes a matter of just bumping the kibana.version.

[kcreddy]

@navnit-elastic, the backport PRs are also merged.
You can reopen this PR to use do_not_log_failure option as per the PR.

[navnit-elastic]

@kcreddy, the changes will be available starting from the next release. I'll raise a separate PR to bump the Kibana version after 8.19.4 and 9.1.4 are released.