Skip to content

Commit

Permalink
x-pack/filebeat/input/cel: improve missing events error value (#40580)
Browse files Browse the repository at this point in the history
CEL programs used in the CEL input are specific to return an object that
includes an array. This is tested for, but currently the check is
indirect and only shows that the type is not expected, rather than a
more informative message that the events array is missing. This changes
that so that when no events field is present, an error is returned
directly. This will flow on to a status update in the handling of the
returned error by the input Run method, alerting the user more promptly
to the cause. Since a CEL input program is not valid if it returns no
events field, a hard error (fleet status failed rather than degraded)
seems appropriate.
  • Loading branch information
efd6 authored Sep 4, 2024
1 parent 3309620 commit 72f4afb
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 3 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Add new metricset cluster for the vSphere module. {pull}40536[40536]
- Disable event normalization for netflow input {pull}40635[40635]
- Allow attribute selection in the Active Directory entity analytics provider. {issue}40482[40482] {pull}40662[40662]
- Improve error quality when CEL program does not correctly return an events array. {pull}40580[40580]

*Auditbeat*

Expand Down
4 changes: 1 addition & 3 deletions x-pack/filebeat/input/cel/input.go
Original file line number Diff line number Diff line change
Expand Up @@ -366,9 +366,7 @@ func (i input) run(env v2.Context, src *source, cursor map[string]interface{}, p

e, ok := state["events"]
if !ok {
log.Error("unexpected missing events array from evaluation")
env.UpdateStatus(status.Degraded, "unexpected missing events array from evaluation")
isDegraded = true
return errors.New("unexpected missing events array from evaluation")
}
var events []interface{}
switch e := e.(type) {
Expand Down

0 comments on commit 72f4afb

Please sign in to comment.