Add support for parsers in filestream input

[kvch]

This PR adds support for pasers in the filestream input.

Example configuration that aggregates fives lines into a single event and parses the JSON contents:

- type: filestream
  enabled: true
  paths:
  - test.log
  parsers:
  - multiline:
      type: count
      count_lines: 5
      skip_newline: true
  - ndjson:
      fields_under_root: true

[elasticmachine]

Pinging @elastic/agent (Team:Agent)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Build Cause: Pull request #24763 updated

• Start Time: 2021-04-20T16:17:13.878+0000

• Duration: 76 min 39 sec

• Commit: 0664c8b

Test stats 🧪

Test	Results
Failed	0
Passed	47239
Skipped	5134
Total	52373

Trends 🧪

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	47239
Skipped	5134
Total	52373

[urso]

In general the approach looks good to me. I assume syslog and CRI-O will be added next?

Have you tried JSON in JSON or ndjson -> multiline, as is common in the case of containers?

[urso]

it works most of the time

Most of the time? You see any potential limitation that don't exist in comparison to the logs input?

[kvch]

it works most of the time

Most of the time? You see any potential limitation that don't exist in comparison to the logs input?

JSON parsing is tricky in the log input, and I first wanted to see what you think about the basics of the refactoring than talk about the painful details. ATM I believe I can get JSON parsing working similarly to log input.

The main problem is that the JSON reader only parses the json fields and puts them under json key. A few steps of JSON processing is done after the reader pipeline is done and a new beat.Event is created. If keys_under_root is enabled, a separate function merges the fields of a beat.Event and the keys under json. Also, it sets the fields under @meta if document_id is set. Obviously, a Reader/parser in this state cannot do it because they work on Messages not Events.

[urso]

The main problem is that the JSON reader only parses the json fields and puts them under json key. A few steps of JSON processing is done after the reader pipeline is done and a new beat.Event is created. If keys_under_root is enabled, a separate function merges the fields of a beat.Event and the keys under json. Also, it sets the fields under @meta if document_id is set. Obviously, a Reader/parser in this state cannot do it because they work on Messages not Events.

I see. Not sure how much postprocessing will be required, but maybe we can introduce a generic helper function/method that can convert the Message to a beat.Event or extend a beat.Event from a Message object.
Regarding fiels under root, maybe we can pass a path prefix to the JSON parser, such that fields are automatically put under that prefix. If the prefix is empty, fields will be put under root. By default we can pass "json" to the transformer/parser. That way we can keep the current functionality, but have the message already in the right format. Plus, in case we add syslog or xml parsing for example, we will also publish fields. In that case we should not use the "json" namespace.

Maybe we also need to enhance Message to create a set of meta fields, such that post processing of meta does not differ from normal fields?

[urso]

For the complete function body up until here I wonder, if this could be a separate parser we just append to the list of parsers? In that case the beat.Event could be extracted from the message directly.

[urso]

Why do we need to build and apply the post processors separately? Couldn't we just ensure that the parser correctly modifies the message? Are there fields that must be 'set' before the post processing is run?

[kvch]

Yes, the fields log.offset, log.file.path are set before the input merges the JSON fields with the existing fields.

[urso]

I wonder if we can/should inject a processor at the beginning? E.g. if we have filebeat collect the output of another filebeat, shall we really overwrite the existing fields with the new ones we define here, or should we make an attempt to keep the original fields from the original log file intact if they are present?

[urso]

Wow, these are quite a few integration tests. Having a few integration tests is indeed important, as we combine quite a few components.

But as the focus is on the parsers, it would be nice to have more unit tests with parsers only, instead of full fledged integration tests that operate on the disk.

I understand that most of these tests are copied from the existing system tests and it is better to keep them as is. But maybe we can create a follow up issue to clean the tests up a little.

[urso]

Which value has MessageKey and what do we store in here if we didn't run multiline?

[kvch]

MessageKey is only needed if multiline is configured before the JSON parser.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b feature-filebeat-filestream-parsers upstream/feature-filebeat-filestream-parsers
git merge upstream/master
git push upstream feature-filebeat-filestream-parsers

[urso]

what happens to post processing if I have multiple JSON parsers? E.g. json => multiline => json?

[kvch]

In this case, multiple post processors are added. It means that e.g. if keys_under_root or overwrite_keys is enabled for both json parsers, the last parser "wins".

[urso]

I'm more curious what happens to the event if one has keys_under_root disable and one has it enabled.

e.g. let's assume I have the configuration:

parsers:
  - ndjson.fields_under_root: true
  - ndjson.fields_under_root: false

with this event:

{"log.level": "debug", "message": "{\"id\": 5}"}

then given the parsers I would assume my event will look like:

{
  "log.level": "debug",
  "json": { "id": 5 }
}

What what will actually be produced is:

{
  "log.level": "debug",
  "id": 5,
}

Because the post processor removes json from the event, it is not the first one that wins, but the last one... in this case.

[urso]

Looks good for now. But unfortunately we are not off the hook yet. In order to support docker json logs or syslog parsing in the future, we have to try to make the parsers more self-contained without the need for post processing. Maybe we have to 'fork' the current readers and create new implementations for the filestream input. The current readers we have are bound to the logs inputs only, anyways.