Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Convert read_timestamp to event.created in Journalbeat #10043

Merged
merged 6 commits into from
Jan 15, 2019

Conversation

ruflin
Copy link
Contributor

@ruflin ruflin commented Jan 14, 2019

This aligns journalbeat with ECS.

@ruflin ruflin requested a review from kvch January 14, 2019 10:39
@ruflin ruflin requested a review from a team as a code owner January 14, 2019 10:39
@ruflin
Copy link
Contributor Author

ruflin commented Jan 14, 2019

@kvch Are there other things need in journalbeat that need alignment with ECS?

@ruflin ruflin mentioned this pull request Jan 14, 2019
@kvch
Copy link
Contributor

kvch commented Jan 14, 2019

I think host.name needs to be renamed to host.hostname. Do you want to include that in this PR?

@ruflin
Copy link
Contributor Author

ruflin commented Jan 14, 2019

Trying also to convert it directly in this PR. Can you check if I picked the correct field?

@@ -62,7 +62,7 @@ var (
sdjournal.SD_JOURNAL_FIELD_COMM: fieldConversion{"process.name", false, false},
sdjournal.SD_JOURNAL_FIELD_EXE: fieldConversion{"process.executable", false, false},
sdjournal.SD_JOURNAL_FIELD_GID: fieldConversion{"process.uid", true, false},
sdjournal.SD_JOURNAL_FIELD_HOSTNAME: fieldConversion{"host.name", false, false},
sdjournal.SD_JOURNAL_FIELD_HOSTNAME: fieldConversion{"host.hostname", false, false},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kvch
Copy link
Contributor

kvch commented Jan 14, 2019

I don't see anything else changed recently.

I am curious if you are planning to add facility and identifier fields in some form to ECS? In journalbeat there are a few syslog fields. I recalled having those in ECS. :)

@ruflin
Copy link
Contributor Author

ruflin commented Jan 14, 2019

@kvch +1 on making these change too. Could you open a PR for it?

@ruflin
Copy link
Contributor Author

ruflin commented Jan 14, 2019

Hm, tests seem to fail because of the changes. I hoped my adjustment works, seems like I need to create a setup. @kvch If you have some hints to get this green, let me know.

@kvch
Copy link
Contributor

kvch commented Jan 14, 2019

The problem is that an empty object is still there with the key "event".

Actual: {"event":{},"host":{"boot_id":"123456"}}
Expected: {"host":{"boot_id":"123456"}}

The whole key-value "pair" has to be deleted:

event.Fields.Delete("event")

@ruflin
Copy link
Contributor Author

ruflin commented Jan 14, 2019

@kvch Thanks for investigating. Let's see if CI is happy with it, if not will spin up a Linux environment for testing.

@ruflin ruflin merged commit 7972a7e into elastic:master Jan 15, 2019
@ruflin ruflin deleted the journalbeat-ecs branch January 15, 2019 09:01
@ruflin ruflin self-assigned this Jan 15, 2019
ruflin added a commit to ruflin/beats that referenced this pull request Jan 15, 2019
It was tried to fix this in elastic#10043 but it seems it was not successful as it is still flaky. Skipping it again.
ph pushed a commit that referenced this pull request Jan 15, 2019
It was tried to fix this in #10043 but it seems it was not successful as it is still flaky. Skipping it again.

See #9690
ruflin added a commit to ruflin/beats that referenced this pull request Jan 16, 2019
The migration entries went missing there. No alias is used for `host.name` to `host.hostname` as both are existing fields.
ruflin added a commit that referenced this pull request Jan 17, 2019
The migration entries went missing there. No alias is used for `host.name` to `host.hostname` as both are existing fields.
DStape pushed a commit to DStape/beats that referenced this pull request Aug 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants