Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert read_timestamp to event.created in Journalbeat #10043

Merged
merged 6 commits into from
Jan 15, 2019
Merged

Convert read_timestamp to event.created in Journalbeat #10043

merged 6 commits into from
Jan 15, 2019

Conversation

ruflin
Copy link
Member

@ruflin ruflin commented Jan 14, 2019

This aligns journalbeat with ECS.

@ruflin ruflin requested a review from kvch January 14, 2019 10:39
@ruflin ruflin requested a review from a team as a code owner January 14, 2019 10:39
@ruflin
Copy link
Member Author

ruflin commented Jan 14, 2019

@kvch Are there other things need in journalbeat that need alignment with ECS?

@ruflin ruflin mentioned this pull request Jan 14, 2019
Closed
@kvch
Copy link
Contributor

kvch commented Jan 14, 2019

I think host.name needs to be renamed to host.hostname. Do you want to include that in this PR?

@ruflin
Copy link
Member Author

ruflin commented Jan 14, 2019

Trying also to convert it directly in this PR. Can you check if I picked the correct field?

kvch
kvch reviewed Jan 14, 2019
View reviewed changes
journalbeat/reader/fields.go
@@ -62,7 +62,7 @@ var (
sdjournal.SD_JOURNAL_FIELD_COMM: fieldConversion{"process.name", false, false},
sdjournal.SD_JOURNAL_FIELD_EXE: fieldConversion{"process.executable", false, false},
sdjournal.SD_JOURNAL_FIELD_GID: fieldConversion{"process.uid", true, false},
sdjournal.SD_JOURNAL_FIELD_HOSTNAME: fieldConversion{"host.name", false, false},
sdjournal.SD_JOURNAL_FIELD_HOSTNAME: fieldConversion{"host.hostname", false, false},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kvch
Copy link
Contributor

kvch commented Jan 14, 2019

I don't see anything else changed recently.

I am curious if you are planning to add facility and identifier fields in some form to ECS? In journalbeat there are a few syslog fields. I recalled having those in ECS. :)

@ruflin
Copy link
Member Author

ruflin commented Jan 14, 2019

@kvch +1 on making these change too. Could you open a PR for it?

@ruflin
Copy link
Member Author

ruflin commented Jan 14, 2019

Hm, tests seem to fail because of the changes. I hoped my adjustment works, seems like I need to create a setup. @kvch If you have some hints to get this green, let me know.

@kvch
Copy link
Contributor

kvch commented Jan 14, 2019

The problem is that an empty object is still there with the key "event".

Actual: {"event":{},"host":{"boot_id":"123456"}}
Expected: {"host":{"boot_id":"123456"}}

The whole key-value "pair" has to be deleted:

event.Fields.Delete("event")

@ruflin
Copy link
Member Author

ruflin commented Jan 14, 2019

@kvch Thanks for investigating. Let's see if CI is happy with it, if not will spin up a Linux environment for testing.

@ruflin ruflin merged commit 7972a7e into elastic:master Jan 15, 2019
@ruflin ruflin deleted the journalbeat-ecs branch January 15, 2019 09:01
@ruflin ruflin self-assigned this Jan 15, 2019
ruflin added a commit to ruflin/beats that referenced this pull request Jan 15, 2019
@ruflin
Skip x-pack libbeat tests again as flaky
c74e3cf 
It was tried to fix this in elastic#10043 but it seems it was not successful as it is still flaky. Skipping it again.
@ruflin ruflin mentioned this pull request Jan 15, 2019
Merged
ph pushed a commit that referenced this pull request Jan 15, 2019
@ruflin @ph
Skip x-pack libbeat tests again as flaky (#10068)
edeed09 
It was tried to fix this in #10043 but it seems it was not successful as it is still flaky. Skipping it again.

See #9690
ruflin added a commit to ruflin/beats that referenced this pull request Jan 16, 2019
@ruflin
Add missing ecs-migration entries for elastic#10043
1619f94 
The migration entries went missing there. No alias is used for `host.name` to `host.hostname` as both are existing fields.
@ruflin ruflin mentioned this pull request Jan 16, 2019
Merged
ruflin added a commit that referenced this pull request Jan 17, 2019
@ruflin
Add missing ecs-migration entries for #10043 (#10112)
9d33de0 
The migration entries went missing there. No alias is used for `host.name` to `host.hostname` as both are existing fields.
DStape pushed a commit to DStape/beats that referenced this pull request Aug 20, 2019
@ruflin
Convert read_timestamp to event.created in Journalbeat (elastic#10043)
1bd94a3 
This aligns journalbeat with ECS.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kvch kvch kvch approved these changes

Assignees

@ruflin ruflin

Labels
ecs Journalbeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ruflin @kvch