Skip to content

Commit

Permalink
x-pack/filebeat/input/cel: improve missing events error value
Browse files Browse the repository at this point in the history
CEL programs used in the CEL input are specific to return an object that
includes an array. This is tested for, but currently the check is
indirect and only shows that the type is not expected, rather than a
more informative message that the events array is missing. This changes
that so that when no events field is present, an error is returned
directly. This will flow on to a status update in the handling of the
returned error by the input Run method, alerting the user more promptly
to the cause. Since a CEL input program is not valid if it returns no
events field, a hard error (fleet status failed rather than degraded)
seems appropriate.
  • Loading branch information
efd6 committed Aug 22, 2024
1 parent e09627f commit 12b3eff
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Update CEL mito extensions to v1.15.0. {pull}40294[40294]
- Allow cross-region bucket configuration in s3 input. {issue}22161[22161] {pull}40309[40309]
- Improve logging in Okta Entity Analytics provider. {issue}40106[40106] {pull}40347[40347]
- Improve error quality when CEL program does not correctly return an events array. {pull}40580[40580]

*Auditbeat*

Expand Down
4 changes: 1 addition & 3 deletions x-pack/filebeat/input/cel/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -366,9 +366,7 @@ func (i input) run(env v2.Context, src *source, cursor map[string]interface{}, p

e, ok := state["events"]
if !ok {
log.Error("unexpected missing events array from evaluation")
env.UpdateStatus(status.Degraded, "unexpected missing events array from evaluation")
isDegraded = true
return errors.New("unexpected missing events array from evaluation")
}
var events []interface{}
switch e := e.(type) {
Expand Down

0 comments on commit 12b3eff

Please sign in to comment.