Bug: Set netflow event.created to use current timestamp #23094
Conversation
botelastic
bot
added
the
needs_team
|
💚 CLA has been signed |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. Expand to view the summary
Test stats 🧪
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
botelastic
bot
removed
the
needs_team
| @@ -65,7 +65,7 @@ func toBeatEventCommon(flow record.Record) (event beat.Event) { | |||
|
|
|||
| // ECS Fields -- event | |||
| ecsEvent := common.MapStr{ | |||
| "created": flow.Timestamp, | |||
| "created": time.Now(), | |||
There was a problem hiding this comment.
@adriansr @ebeahan What do you think about this change? The current flow.Timestamp is the time when the router emitted the record (distinct from the actual flow start/end times).
event.created contains the date/time when the event was first read by an agent, or by your pipeline.
This change would make the data consistent with other sources. On the other hand the time being used is the time when the event was created, except it's by the observer rather than agent.
There was a problem hiding this comment.
Yes, this makes sense. Its clear that it wasn't following the ECS convention. Also currently we were duplicating this same information in @timestamp.
This field is distinct from
@timestampin that@timestamptypically contain the time extracted from the original event.In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source.
This change will allow to perform the above calculation, so LGTM.
|
/test |
andrewkroh
force-pushed
the
fix-netflow-event-created
branch
from
6a724ce
to
056da53
Compare
|
I pushed an update to remove |
|
jenkins test this please |
|
cla/check |
* Update event.created to use current timestamp * Update golden files, add changelog Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 6986c84)
* Update event.created to use current timestamp * Update golden files, add changelog Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> (cherry picked from commit 6986c84) Co-authored-by: Shanavas M <shanavas.m2@gmail.com>
What does this PR do?
Set netflow event.created field to current time instead of using flow.Timestamp
Why is it important?
As per [https://github.com/elastic/ecs/blob/master/code/go/ecs/event.go#L163](the doc), event.created contains the date/time when the event was first read by an agent/pipeline.
But for netflow input type, it is being copied from flow.Timestamp field.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.