Add Logs data stream for collecting Azure Functions

[devamanv]

What does this PR do?

The PR contains changes to add a new datastream functionapplogs that contains all the field mappings, ingest pipelines, documentations needed to ingest the Azure Functions logs into Elasticsearch.

Note: Dashboards assets to be added in a separate PR.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

• Clone the integrations repo
• Install elastic-package locally
• Spin up an elastic stack using elastic-package
• Run elastic-package test from the integrations/packages/azure_functions directory

Related issues

• Implements logs datastream for [Meta] Azure Functions Integration #6086

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-07-18T16:33:45.282+0000

• Duration: 16 min 55 sec

Test stats 🧪

Test	Results
Failed	0
Passed	5
Skipped	0
Total	5

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[zmoog]

This PR looks good; I have a few minor changes to request.

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (2/2)	💚
Classes	100.0% (2/2)	💚
Methods	92.857% (13/14)	👍 4.978
Lines	96.753% (149/154)	👎 -0.719
Conditionals	100.0% (0/0)	💚

[gpop63]

I wonder if azure.function.function_invocation_id is redundant and something like azure.function.invocation_id make more sense, this applies to azure.function.function_name too. What do you think?

[devamanv]

Yes, that's a fair point. I will change that in the next commit.

[muthu-mps]

@devamanv - Please find my comments below after installing the enabling the data collection for azure functions.

• When starting the integration for the first time there is a few minutes delay observed in the data collection. Is this the expected behaviour for a first time installer ?
• The assets is not available for the integration.The PR description has a mention of having assets along with this PR. Can we create assets.
• The logo in the Azure function's section of the Azure portal is slightly different than what we have. Can we check and update it.

[devamanv]

@muthu-mps

When starting the integration for the first time there is a few minutes delay observed in the data collection. Is this the expected behaviour for a first time installer ?

Events from Azure are usually slow, and this delay is expected and could take anywhere between a few minutes to an hour, reference. Part of the reason is the fact that Platform logs are only collected when there's a corresponding diagnostic setting enabled, source. This usually takes a few minutes for the logs to be routed to a destination, which happens to be Eventhub in this case.
This may also have to do with how the eventhub input works under the hood, it needs to start a worker, establish a connection with Azure Eventhub and at the same time store metadata in an instance of the Storage Account.

The assets is not available for the integration.The PR description has a mention of having assets along with this PR. Can we create assets

The assets(dashboards) will be created as a separate PR. The assets work is already in progress. I have updated the description accordingly.

The logo in the Azure function's section of the Azure portal is slightly different than what we have. Can we check and update it.

I have updated the logo to match the one in the Azure Portal, please take a look.

[muthu-mps]

Can we make the initial release version as experimental 0.0.1 until the Kibana dashboard PR is getting merged. Otherwise looks good !

[devamanv]

Changed the release as experimental and the initial package version to 0.0.1.

[zmoog]

When starting the integration for the first time there is a few minutes delay observed in the data collection. Is this the expected behaviour for a first time installer ?

To add extra details to what @devamanv said, here's how to check what happens between event creation on Azure and ingestion on Elasticsearch using the document fields.

Here's a KB article I put together a few months ago. AFAIK it's unavailable as a public page, so I'm adding it as a screenshot.

We can turn it into a public resource if you think it can be helpful to a broader audience.

[muthu-mps]

Looks good !

[elasticmachine]

Package azure_functions - 0.0.1 containing this change is available at https://epr.elastic.co/search?package=azure_functions