Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Logs UI] HTTP API for log entries #53798

Merged
merged 21 commits into from
Jan 3, 2020

Conversation

afgomez
Copy link
Contributor

@afgomez afgomez commented Dec 26, 2019

Summary

Part of #51047.

This PR adds (will add) two endpoints:

  • /log_entries/entries for the log entries themselves. They will be used in the log stream view.
  • /log_entries/highlights for the log entry highlights. They will be used to highlight messages in the log stream view.

The API is not used yet, since its interface differs from the GraphQL implementation. The API will be used once we change the UI to allow date ranges.

Examples

Get entries from the top (oldest)

The API has only two mandatory parameters: startDate and endDate. Both take an epoch in milliseconds.

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000
}

// Response
{
  data: {
    entries: [
		{
			id: "...",
			cursor: { time: 100000001000, tiebreaker: 12345 }
			columns: [...]
		},
		...
	],
    topCursor: { time: 100000001000, tiebreaker: 12345 }, // Cursor for the top of the page,
    bottomCursor: { time: 100000001200, tiebreaker: 67890 }, // Cursor for the bottom of the page,
  }
}

By default the request gives the first page of entries, in ascending order, starting at startDate.

Log stream notes-7

To get the following page: pass the after parameter with the value of the bottomCursor

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000,
  after: { time: 100000001200, tiebreaker: 67890 } 
}

// Response
{
  data: {
    entries: [
		{
			id: "...",
			cursor: { time: 100000001201, tiebreaker: 67891 }
			columns: [...]
		},
		...
	],
    topCursor: { time: 100000001201, tiebreaker: 67891 },
    bottomCursor: { time: 100000001400, tiebreaker: 78901 },
  }
}

Log stream notes-8

Get entries from the bottom (newest)

To get the last entries in the range, the user needs to specify the parameter before with the special value "last".

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000,
  before: "last"
}

// Response
{
  data: {
    entries: [
		{
			id: "...",
			cursor: { time: 100000001800, tiebreaker: 88888 }
			columns: [...]
		},
		...
	],
    topCursor: { time: 100000001800, tiebreaker: 88888 },
    bottomCursor: { time: 100000002000, tiebreaker: 99999 },
  }
}

Log stream notes-9

To get the entries before, pass the value of the topCursor in the before parameter.

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000,
  before: { time: 100000001800, tiebreaker: 88888 }
}

// Response
{
  data: {
    entries: [
		{
			id: "...",
			cursor: { time: 100000001800, tiebreaker: 88888 }
			columns: [...]
		},
		...
	],
    topCursor: { time: 100000001600, tiebreaker: 66666 },
    bottomCursor: { time: 100000001799, tiebreaker: 88887 },
  }
}

Log stream notes-10

Get entries around a specific cursor

Sometimes is interesting to get entries with a specific log line in the center. To do so the user must pass a cursor as a center parameter. If the user doesn't know the value of the tiebreaker for a specific line, they must use 0. The response will then contain logs around the timestamp.

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000,
  center: { time: 100000001500, tiebreaker: 0 }
}

// Response
{
  data: {
    entries: [
		{
			id: "...",
			cursor: { time: 100000001450, tiebreaker: 44444 }
			columns: [...]
		},
		...
	],
    topCursor: { time: 100000001450, tiebreaker: 44444 },
    bottomCursor: { time: 100000001550, tiebreaker: 55555 },
  }
}

The user then can get the pages before or after using the topCursor and the bottomCursor of the response.

Log stream notes-11

Add a query

All options support a query parameter to filter. The value must be the parsed query from the searchbar

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000,
  query: '{"bool":{"should":[{"match_phrase":{"event.dataset":"nginx.access"}}],"minimum_should_match":1}}'
}

Get highlights

The /log_entries/highlights endpoint takes the same parameters as the /log_entries/entries endpoint, plus an array of highlight terms. The response is an array with the entries for each highlight term.

// Request
{
  startDate: 100000001000, 
  endDate: 100000002000,
  highlightTerms: ['admin'],
}

// Response
{
  // Each element here corresponds to each term in the request
  data: [{
	// The `entries` contain only elements with the highlight term
    entries: [
		{
			id: "...",
			cursor: { time: 100000001000, tiebreaker: 12345 }
			columns: [...]
		},
		...
	],
    topCursor: { time: 100000001000, tiebreaker: 12345 },
    bottomCursor: { time: 100000001600, tiebreaker: 66666 },
  }]
}

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

@afgomez afgomez added Feature:Logs UI Logs UI feature release_note:skip Skip the PR/issue when compiling release notes Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services v7.6.0 v8.0.0 labels Dec 26, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/logs-metrics-ui (Team:logs-metrics-ui)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💔 Build Failed

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

return hits.map(hit => {
const logFields = fields.reduce<{ [fieldName: string]: JsonValue }>(
(flattenedFields, field) => {
if (has(field, hit._source)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard to understand at a glance that hit._source is an object.path.like.this. Anything you can do with type definitions to make this more obvious? Or maybe just add a comment

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hear you, but I don't want to dedicate much time to this function. It will go away in a separate PR.

Right now the API is handled in three files

  • lib/adapters/kibana_log_entries_adapter, which connects with Elasticsearch.
  • lib/domains/log_entries_domain, which connects the adapter with the route files
  • The route file.

This function in the adapter takes the ES response and transforms it onto a LogEntryDocument, an intermediate format for the domain that then gets transformed again in the route.

I had a chat with @weltenwort and @Kerry350 a couple of weeks ago about how this code was organised, and the conclusion was to merge the domain and the adapter files into one. Once we do that we don't need an intermediate format anymore and this function will go away.


I will take your comment into account when I join the two files in one. I agree with you that it's not clear straight away what is in _source. I guess there's some documentation somewhere of how filebeat stores the log metadata in ES. We could just add a comment with a link to it.

);

return {
gid: hit._id,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the above comment in mind, this whole function might be easier to follow if you destructure the hit at the beginning

const { _id: gid, _source: fieldName, sort: [time, tiebreaker] }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment :)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Alejandro Fernández Gómez and others added 14 commits December 31, 2019 11:49
We will move the responsibility to parse the dates to the client. The
API will only take timestamps
Allows consumers of the API to get log items around a certain cursor
This makes easier to test the pagination. By default it returns a 200
size page.
Co-Authored-By: Zacqary Adam Xeper <[email protected]>
@afgomez afgomez force-pushed the 51047-log-entries-http-api branch from 911dac2 to d04f15e Compare December 31, 2019 10:51
@kibanamachine
Copy link
Contributor

💔 Build Failed

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💔 Build Failed

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@afgomez afgomez marked this pull request as ready for review January 2, 2020 14:46
@afgomez afgomez requested a review from a team as a code owner January 2, 2020 14:46
@kibanamachine
Copy link
Contributor

💔 Build Failed

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@Zacqary Zacqary left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me; once CI is fixed should be good to merge

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@afgomez afgomez merged commit 47830c7 into elastic:master Jan 3, 2020
@afgomez afgomez deleted the 51047-log-entries-http-api branch January 3, 2020 17:12
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jan 6, 2020
* master:
  increase delay to make sure license refetched (elastic#53882)
  Allow custom NP plugin paths in production (elastic#53562)
  [Maps] show custom color ramps in legend (elastic#53780)
  [Lens] Expression type on document can be null (elastic#53883)
  [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778)
  Update dependency @elastic/charts to v16.0.2 (elastic#52619)
  Set consistent EOL symbol in core API docs (elastic#53815)
  [Logs UI] Refactor query bar state to hooks (elastic#52656)
  [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937)
  Invalidate alert API Key when generating a new one (elastic#53732)
  [Logs UI] HTTP API for log entries (elastic#53798)
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jan 6, 2020
* master:
  increase delay to make sure license refetched (elastic#53882)
  Allow custom NP plugin paths in production (elastic#53562)
  [Maps] show custom color ramps in legend (elastic#53780)
  [Lens] Expression type on document can be null (elastic#53883)
  [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778)
  Update dependency @elastic/charts to v16.0.2 (elastic#52619)
  Set consistent EOL symbol in core API docs (elastic#53815)
  [Logs UI] Refactor query bar state to hooks (elastic#52656)
  [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937)
  Invalidate alert API Key when generating a new one (elastic#53732)
  [Logs UI] HTTP API for log entries (elastic#53798)
  [kbn/pm] add caching to bootstrap (elastic#53622)
  adds createdAt and updatedAt fields to alerting (elastic#53793)
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jan 6, 2020
* master:
  increase delay to make sure license refetched (elastic#53882)
  Allow custom NP plugin paths in production (elastic#53562)
  [Maps] show custom color ramps in legend (elastic#53780)
  [Lens] Expression type on document can be null (elastic#53883)
  [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778)
  Update dependency @elastic/charts to v16.0.2 (elastic#52619)
  Set consistent EOL symbol in core API docs (elastic#53815)
  [Logs UI] Refactor query bar state to hooks (elastic#52656)
  [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937)
  Invalidate alert API Key when generating a new one (elastic#53732)
  [Logs UI] HTTP API for log entries (elastic#53798)
  [kbn/pm] add caching to bootstrap (elastic#53622)
  adds createdAt and updatedAt fields to alerting (elastic#53793)
  [SR] Enable component integration tests (elastic#53893)
jloleysens added a commit to jloleysens/kibana that referenced this pull request Jan 6, 2020
…nsole-dependencies

* 'master' of github.com:elastic/kibana: (33 commits)
  adds strict types to Alerting Client (elastic#53821)
  [Dashboard] Empty screen redesign (elastic#53681)
  Migrate config deprecations and `ShieldUser` functionality to the New Platform (elastic#53768)
  increase delay to make sure license refetched (elastic#53882)
  Allow custom NP plugin paths in production (elastic#53562)
  [Maps] show custom color ramps in legend (elastic#53780)
  [Lens] Expression type on document can be null (elastic#53883)
  [SIEM] [Detection engine] Add user permission to detection engine (elastic#53778)
  Update dependency @elastic/charts to v16.0.2 (elastic#52619)
  Set consistent EOL symbol in core API docs (elastic#53815)
  [Logs UI] Refactor query bar state to hooks (elastic#52656)
  [Maps] pass getFieldFormatter to DynamicTextProperty (elastic#53937)
  Invalidate alert API Key when generating a new one (elastic#53732)
  [Logs UI] HTTP API for log entries (elastic#53798)
  [kbn/pm] add caching to bootstrap (elastic#53622)
  adds createdAt and updatedAt fields to alerting (elastic#53793)
  [SR] Enable component integration tests (elastic#53893)
  Move index patterns: src/legacy/core_plugins/data 👉 src/plugins/data (elastic#53794)
  moved Task Manager server code under "server" directory (elastic#53777)
  Rename `/api/security/oidc` to `/api/security/oidc/callback`. (elastic#53886)
  ...

# Conflicts:
#	yarn.lock
afgomez pushed a commit to afgomez/kibana that referenced this pull request Jan 6, 2020
* Scaffold `log_entries/entries` route

* Scaffold a log entry response

* Add `after` pagination

* Add `before` pagination

* Process `query` parameter

* Use pre-existing structure for the columns

* Change type of date ranges

We will move the responsibility to parse the dates to the client. The
API will only take timestamps

* Add `center` parameter

Allows consumers of the API to get log items around a certain cursor

* Change default page size

* Test the defaults of the API

* Add optional `size` parameter

This makes easier to test the pagination. By default it returns a 200
size page.

* Test the pagination

* Test centering around a point

* Handle `0` sizes

Co-Authored-By: Zacqary Adam Xeper <[email protected]>

* Add highlights endpoint

* Refactor `processCursor`

* Tweak cursor handling in the routes

* Refine `LogEntry` type

* Add tests for highlights endpoint

* Tweak the types for the LogEntry

Co-authored-by: Zacqary Adam Xeper <[email protected]>
@afgomez afgomez mentioned this pull request Jan 7, 2020
afgomez pushed a commit that referenced this pull request Jan 7, 2020
* [Logs UI] HTTP API for log entries (#53798)

* Scaffold `log_entries/entries` route

* Scaffold a log entry response

* Add `after` pagination

* Add `before` pagination

* Process `query` parameter

* Use pre-existing structure for the columns

* Change type of date ranges

We will move the responsibility to parse the dates to the client. The
API will only take timestamps

* Add `center` parameter

Allows consumers of the API to get log items around a certain cursor

* Change default page size

* Test the defaults of the API

* Add optional `size` parameter

This makes easier to test the pagination. By default it returns a 200
size page.

* Test the pagination

* Test centering around a point

* Handle `0` sizes

Co-Authored-By: Zacqary Adam Xeper <[email protected]>

* Add highlights endpoint

* Refactor `processCursor`

* Tweak cursor handling in the routes

* Refine `LogEntry` type

* Add tests for highlights endpoint

* Tweak the types for the LogEntry

Co-authored-by: Zacqary Adam Xeper <[email protected]>

* Skip failing test (#54100)

ES behaves differently in master and in 7.x, causing the test to fail in
the latter.

Co-authored-by: Zacqary Adam Xeper <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Logs UI Logs UI feature release_note:skip Skip the PR/issue when compiling release notes Team:Infra Monitoring UI - DEPRECATED DEPRECATED - Label for the Infra Monitoring UI team. Use Team:obs-ux-infra_services v7.6.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants