[Auto Import] CSV format support #194386
Merged
[Auto Import] CSV format support #194386
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ilyannn
added
release_note:feature
|
Pinging @elastic/security-scalability (Team:Security-Scalability) |
|
@elasticmachine merge upstream |
bhapas
reviewed
Oct 1, 2024
x-pack/plugins/integration_assistant/server/graphs/log_type_detection/csv.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/integration_assistant/server/graphs/log_type_detection/csv.ts
Outdated
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
|
merge conflict between base and head |
…ranch 'main' of github.com:elastic/kibana into auto-import/csv-format
|
@elasticmachine merge upstream |
ilyannn
added
backport:prev-minor
|
@elasticmachine merge upstream |
💔 Build Failed
Failed CI StepsHistory
cc @ilyannn |
This was referenced Oct 13, 2024
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11325642463 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 14, 2024
## Release Notes Automatic Import can now create integrations for logs in the CSV format. Owing to the maturity of log format support, we thus remove the verbiage about requiring the JSON/NDJSON format. ## Summary **Added: the CSV feature** The issue is elastic#194342 When the user adds a log sample whose format is recognized as CSV by the LLM, we now parse the samples and insert the [csv](https://www.elastic.co/guide/en/elasticsearch/reference/current/csv-processor.html) processor into the generated pipeline. If the header is present, we use it for the field names and add a [drop](https://www.elastic.co/guide/en/elasticsearch/reference/current/drop-processor.html) processor that removes a header from the document stream by comparing the values to the header values. If the header is missing, we ask the LLM to generate a list of column names, providing some context like package and data stream title. Should the header or LLM suggestion provide unsuitable for a specific column, we use `column1`, `column2` and so on as a fallback. To avoid duplicate column names, we can add postfixes like `_2` as necessary. If the format appears to be CSV, but the `csv` processor returns fails, we bubble up an error using the recently introduced `ErrorThatHandlesItsOwnResponse` class. We also provide the first example of passing the additional attributes of an error (in this case, the original CSV error) back to the client. The error message is composed on the client side. **Removed: supported formats message** The message that asks the user to upload the logs in `JSON/NDJSON format` is removed in this PR: <img width="741" alt="image" src="https://github.com/user-attachments/assets/34d571c3-b12c-44a1-98e3-d7549160be12"> **Refactoring** The refactoring makes the "→JSON" conversion process more uniform across different chains and centralizes processor definitions in `.../server/util/processors.ts`. Log format chain now expects the LLM to follow the `SamplesFormat` when providing the information rather than an ad-hoc format. When testing, the `fail` method is [not supported in `jest`](https://stackoverflow.com/a/54244479/23968144), so it is removed. See the PR for examples and follow-up. --------- Co-authored-by: Elastic Machine <[email protected]> (cherry picked from commit 6a72037)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 14, 2024
# Backport This will backport the following commits from `main` to `8.x`: - [[Auto Import] CSV format support (#194386)](#194386) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Ilya Nikokoshev","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-14T10:24:58Z","message":"[Auto Import] CSV format support (#194386)\n\n## Release Notes\r\n\r\nAutomatic Import can now create integrations for logs in the CSV format.\r\nOwing to the maturity of log format support, we thus remove the verbiage\r\nabout requiring the JSON/NDJSON format.\r\n\r\n## Summary\r\n\r\n**Added: the CSV feature**\r\n\r\nThe issue is #194342 \r\n\r\nWhen the user adds a log sample whose format is recognized as CSV by the\r\nLLM, we now parse the samples and insert the\r\n[csv](https://www.elastic.co/guide/en/elasticsearch/reference/current/csv-processor.html)\r\nprocessor into the generated pipeline.\r\n\r\nIf the header is present, we use it for the field names and add a\r\n[drop](https://www.elastic.co/guide/en/elasticsearch/reference/current/drop-processor.html)\r\nprocessor that removes a header from the document stream by comparing\r\nthe values to the header values.\r\n\r\nIf the header is missing, we ask the LLM to generate a list of column\r\nnames, providing some context like package and data stream title.\r\n\r\nShould the header or LLM suggestion provide unsuitable for a specific\r\ncolumn, we use `column1`, `column2` and so on as a fallback. To avoid\r\nduplicate column names, we can add postfixes like `_2` as necessary.\r\n\r\nIf the format appears to be CSV, but the `csv` processor returns fails,\r\nwe bubble up an error using the recently introduced\r\n`ErrorThatHandlesItsOwnResponse` class. We also provide the first\r\nexample of passing the additional attributes of an error (in this case,\r\nthe original CSV error) back to the client. The error message is\r\ncomposed on the client side.\r\n\r\n**Removed: supported formats message**\r\n \r\nThe message that asks the user to upload the logs in `JSON/NDJSON\r\nformat` is removed in this PR:\r\n\r\n<img width=\"741\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/34d571c3-b12c-44a1-98e3-d7549160be12\">\r\n\r\n\r\n**Refactoring**\r\n \r\nThe refactoring makes the \"→JSON\" conversion process more uniform across\r\ndifferent chains and centralizes processor definitions in\r\n`.../server/util/processors.ts`.\r\n\r\nLog format chain now expects the LLM to follow the `SamplesFormat` when\r\nproviding the information rather than an ad-hoc format.\r\n \r\nWhen testing, the `fail` method is [not supported in\r\n`jest`](https://stackoverflow.com/a/54244479/23968144), so it is\r\nremoved.\r\n\r\nSee the PR for examples and follow-up.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"6a72037007d8f71504f444911c9fa25adfb1bb89","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","release_note:feature","backport:prev-minor","Team:Security-Scalability","Feature:AutomaticImport"],"title":"[Auto Import] CSV format support","number":194386,"url":"https://github.com/elastic/kibana/pull/194386","mergeCommit":{"message":"[Auto Import] CSV format support (#194386)\n\n## Release Notes\r\n\r\nAutomatic Import can now create integrations for logs in the CSV format.\r\nOwing to the maturity of log format support, we thus remove the verbiage\r\nabout requiring the JSON/NDJSON format.\r\n\r\n## Summary\r\n\r\n**Added: the CSV feature**\r\n\r\nThe issue is #194342 \r\n\r\nWhen the user adds a log sample whose format is recognized as CSV by the\r\nLLM, we now parse the samples and insert the\r\n[csv](https://www.elastic.co/guide/en/elasticsearch/reference/current/csv-processor.html)\r\nprocessor into the generated pipeline.\r\n\r\nIf the header is present, we use it for the field names and add a\r\n[drop](https://www.elastic.co/guide/en/elasticsearch/reference/current/drop-processor.html)\r\nprocessor that removes a header from the document stream by comparing\r\nthe values to the header values.\r\n\r\nIf the header is missing, we ask the LLM to generate a list of column\r\nnames, providing some context like package and data stream title.\r\n\r\nShould the header or LLM suggestion provide unsuitable for a specific\r\ncolumn, we use `column1`, `column2` and so on as a fallback. To avoid\r\nduplicate column names, we can add postfixes like `_2` as necessary.\r\n\r\nIf the format appears to be CSV, but the `csv` processor returns fails,\r\nwe bubble up an error using the recently introduced\r\n`ErrorThatHandlesItsOwnResponse` class. We also provide the first\r\nexample of passing the additional attributes of an error (in this case,\r\nthe original CSV error) back to the client. The error message is\r\ncomposed on the client side.\r\n\r\n**Removed: supported formats message**\r\n \r\nThe message that asks the user to upload the logs in `JSON/NDJSON\r\nformat` is removed in this PR:\r\n\r\n<img width=\"741\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/34d571c3-b12c-44a1-98e3-d7549160be12\">\r\n\r\n\r\n**Refactoring**\r\n \r\nThe refactoring makes the \"→JSON\" conversion process more uniform across\r\ndifferent chains and centralizes processor definitions in\r\n`.../server/util/processors.ts`.\r\n\r\nLog format chain now expects the LLM to follow the `SamplesFormat` when\r\nproviding the information rather than an ad-hoc format.\r\n \r\nWhen testing, the `fail` method is [not supported in\r\n`jest`](https://stackoverflow.com/a/54244479/23968144), so it is\r\nremoved.\r\n\r\nSee the PR for examples and follow-up.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"6a72037007d8f71504f444911c9fa25adfb1bb89"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/194386","number":194386,"mergeCommit":{"message":"[Auto Import] CSV format support (#194386)\n\n## Release Notes\r\n\r\nAutomatic Import can now create integrations for logs in the CSV format.\r\nOwing to the maturity of log format support, we thus remove the verbiage\r\nabout requiring the JSON/NDJSON format.\r\n\r\n## Summary\r\n\r\n**Added: the CSV feature**\r\n\r\nThe issue is #194342 \r\n\r\nWhen the user adds a log sample whose format is recognized as CSV by the\r\nLLM, we now parse the samples and insert the\r\n[csv](https://www.elastic.co/guide/en/elasticsearch/reference/current/csv-processor.html)\r\nprocessor into the generated pipeline.\r\n\r\nIf the header is present, we use it for the field names and add a\r\n[drop](https://www.elastic.co/guide/en/elasticsearch/reference/current/drop-processor.html)\r\nprocessor that removes a header from the document stream by comparing\r\nthe values to the header values.\r\n\r\nIf the header is missing, we ask the LLM to generate a list of column\r\nnames, providing some context like package and data stream title.\r\n\r\nShould the header or LLM suggestion provide unsuitable for a specific\r\ncolumn, we use `column1`, `column2` and so on as a fallback. To avoid\r\nduplicate column names, we can add postfixes like `_2` as necessary.\r\n\r\nIf the format appears to be CSV, but the `csv` processor returns fails,\r\nwe bubble up an error using the recently introduced\r\n`ErrorThatHandlesItsOwnResponse` class. We also provide the first\r\nexample of passing the additional attributes of an error (in this case,\r\nthe original CSV error) back to the client. The error message is\r\ncomposed on the client side.\r\n\r\n**Removed: supported formats message**\r\n \r\nThe message that asks the user to upload the logs in `JSON/NDJSON\r\nformat` is removed in this PR:\r\n\r\n<img width=\"741\" alt=\"image\"\r\nsrc=\"https://github.com/user-attachments/assets/34d571c3-b12c-44a1-98e3-d7549160be12\">\r\n\r\n\r\n**Refactoring**\r\n \r\nThe refactoring makes the \"→JSON\" conversion process more uniform across\r\ndifferent chains and centralizes processor definitions in\r\n`.../server/util/processors.ts`.\r\n\r\nLog format chain now expects the LLM to follow the `SamplesFormat` when\r\nproviding the information rather than an ad-hoc format.\r\n \r\nWhen testing, the `fail` method is [not supported in\r\n`jest`](https://stackoverflow.com/a/54244479/23968144), so it is\r\nremoved.\r\n\r\nSee the PR for examples and follow-up.\r\n\r\n---------\r\n\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"6a72037007d8f71504f444911c9fa25adfb1bb89"}}]}] BACKPORT--> Co-authored-by: Ilya Nikokoshev <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release Notes
Automatic Import can now create integrations for logs in the CSV format. Owing to the maturity of log format support, we thus remove the verbiage about requiring the JSON/NDJSON format.
Summary
Added: the CSV feature
The issue is #194342
When the user adds a log sample whose format is recognized as CSV by the LLM, we now parse the samples and insert the csv processor into the generated pipeline.
If the header is present, we use it for the field names and add a drop processor that removes a header from the document stream by comparing the values to the header values.
If the header is missing, we ask the LLM to generate a list of column names, providing some context like package and data stream title.
Should the header or LLM suggestion provide unsuitable for a specific column, we use
column1,column2and so on as a fallback. To avoid duplicate column names, we can add postfixes like_2as necessary.If the format appears to be CSV, but the
csvprocessor returns fails, we bubble up an error using the recently introducedErrorThatHandlesItsOwnResponseclass. We also provide the first example of passing the additional attributes of an error (in this case, the original CSV error) back to the client. The error message is composed on the client side.Removed: supported formats message
The message that asks the user to upload the logs in
JSON/NDJSON formatis removed in this PR:Refactoring
The refactoring makes the "→JSON" conversion process more uniform across different chains and centralizes processor definitions in
.../server/util/processors.ts.Log format chain now expects the LLM to follow the
SamplesFormatwhen providing the information rather than an ad-hoc format.When testing, the
failmethod is not supported injest, so it is removed.Examples
Postgres logs (original)
When using the original Postgres log file from the integrations repository we get the following error:
The reason is that the file is indeed not a correct CSV file, due to line breaks leading to unmatched quotes:
Potsgres logs (fixed)
If we remove the line breaks and perform some additional fixes to the reserved fields, the integration ai_postgres_202410081032-1.0.0.zip is generated successfully, with LLM filling some of the columns names:
Example event
{ "ai_postgres_202410081032": { "logs": { "backend_type": "postmaster", "column11": "0", "column4": "1", "column7": "7", "error_code": "00000", "session_start_time": "2021-01-04 01:06:13 UTC", "timestamp": "2021-01-04 01:07:20.001 UTC" } }, "ecs": { "version": "8.11.0" }, "event": { "category": [ "database", "configuration" ], "created": "2021-01-04T01:07:20.001Z", "original": "2021-01-04 01:07:20.001 UTC,,,1,,5ff26a05.1,7,,2021-01-04 01:06:13 UTC,,0,LOG,00000,\"parameter \"\"log_min_duration_statement\"\" changed to \"\"0\"\"\",,,,,,,,,\"\",\"postmaster\"", "start": "2021-01-04T01:06:13.000Z", "type": [ "info", "change" ] }, "log": { "level": "LOG" }, "message": "parameter \"log_min_duration_statement\" changed to \"0\"", "tags": [ "preserve_original_event" ] }Recorded Future
This sample log file has a header. We generate the ai_rf_url_202410082213-1.0.0.zip with the following sample:
PanOS System Log
This sample log file does not have a header. We provide a "Format" string from the docs as part of the datastream title.
We produce the integration ai_panos_202410082244-1.0.0.zip:
Note the usage of separate
FUTURE_USE_Ncolumns.Without the hints, the results (ai_panos_202410082250-1.0.0.zip) are less impressive:
PanOS Tunnel Inspection Log
Example event
{ "ai_panos_tunnel_202410132313": { "log": { "A_Slice_Differentiator": "asd", "A_Slice_Service_Type": "ast", "Action_Flags": "user", "Action_Source": "action", "Application_Category": "cat", "Application_Characteristic": "char", "Application_Container": "con", "Application_Risk": "4", "Application_SaaS": "no", "Application_Sanctioned_State": "no", "Application_Subcategory": "app-sc", "Application_Technology": "tech", "Destination_External_Dynamic_List": "100", "Destination_Location": "dst-loc", "Destination_Zone": "d-zone", "Device_Group_Hierarchy_Level_1": "0", "Device_Group_Hierarchy_Level_2": "0", "Device_Group_Hierarchy_Level_3": "0", "Device_Group_Hierarchy_Level_4": "0", "Dynamic_User_Group": "dug", "FUTURE_USE": "1", "FUTURE_USE_2": "2561", "Flags": "0", "Generated_Time": "2021/11/23 00:44:44", "High_Resolution_Timestamp": "2021-11-23T00:44:44.930-08:00", "Inbound_Interface": "inbound", "Log_Action": "log", "Maximum_Encapsulation": "20", "Monitor_Tag_IMEI": "imei", "PCAP_ID": "pcap", "PDU_Session_ID": "100", "Packets_Sent": "10", "Parent_Session_ID": "1000", "Parent_Start_Time": "1000", "Receive_Time": "2021/11/23 00:44:44", "Remote_User_ID": "100", "Remote_User_IP": "81.2.69.192", "Sequence_Number": "1000", "Serial_Number": "1234567890", "Sessions_Closed": "1000", "Sessions_Created": "1000", "Source_External_Dynamic_List": "100", "Source_Location": "src-loc", "Source_Zone": "s-zone", "Start_Time": "2021-11-23T00:44:44.930-08:00", "Strict_Check": "75", "Subtype": "start", "Tunnel": "1000", "Tunnel_Fragment": "50", "Tunnel_ID_IMSI": "imsi", "Tunnel_Inspection_Rule": "rule1", "Type": "START", "Unknown_Protocol": "200", "Virtual_System": "vsys", "Virtual_System_Name": "vsys-name" } }, "destination": { "bytes": "10", "geo": { "city_name": "Changchun", "continent_name": "Asia", "country_iso_code": "CN", "country_name": "China", "location": { "lat": 43.88, "lon": 125.3228 }, "region_iso_code": "CN-22", "region_name": "Jilin Sheng" }, "ip": "175.16.199.1", "nat": { "ip": "10.0.0.30", "port": "9300" }, "packets": "10", "port": "9550", "user": { "name": "d-user" } }, "ecs": { "version": "8.11.0" }, "event": { "action": "action", "category": [ "network", "authentication", "session" ], "duration": "1234567890", "id": "id", "original": "1,2021/11/23 00:44:44,1234567890,START,start,2561,2021/11/23 00:44:44,10.0.0.10,175.16.199.1,10.0.0.20,10.0.0.30,rule,,d-user,app,vsys,s-zone,d-zone,inbound,outbound,log,,id,100,9000,9550,9200,9300,0,tcp,action,4,1000,user,src-loc,dst-loc,0,0,0,0,vsys-name,d-name,imsi,imei,1000,1000,1000,10,10,10,10,10,10,20,200,75,50,1000,1000,end,action,2021-11-23T00:44:44.930-08:00,1234567890,rule1,81.2.69.192,100,100,pcap,dug,100,100,2021-11-23T00:44:44.930-08:00,asd,ast,100,app-sc,cat,tech,4,char,con,no,no", "reason": "end", "sequence": "100", "severity": "4", "start": "2021-11-23T08:44:44.930Z", "type": [ "start", "connection", "info", "end" ] }, "host": { "name": "d-name" }, "network": { "application": "app", "bytes": "10", "name": "outbound", "packets": "10", "transport": "tcp" }, "related": { "hosts": [ "d-name" ], "ip": [ "10.0.0.30", "175.16.199.1", "10.0.0.20", "10.0.0.10", "81.2.69.192" ], "user": [ "d-user" ] }, "rule": { "name": "rule", "uuid": "100" }, "source": { "bytes": "10", "ip": "10.0.0.10", "nat": { "ip": "10.0.0.20", "port": "9200" }, "port": "9000" }, "tags": [ "preserve_original_event" ] }Todo
Completed items
Possible follow-up
CSV feature:
Log formats:
unsupported. Instead we can ask again. → [Automatic Import] Retry if the LLM does not return a valid log format answer #196038Bugs:
@timestamp– a lot of our integrations don't have this field as a result. → [Automatic Import] Ensure the @timestamp field is present #196040long, which makeselastic-package testunhappy. → [Automatic Import] Conversion to target field type #196041