Migrate beat.* to agent.* #8873
Conversation
| # | ||
|
|
||
|
|
||
| - from: beat.name |
There was a problem hiding this comment.
@bleskes This is the file I have in mind to track the migration of the fields so it can be used later to do automatic migrations.
There was a problem hiding this comment.
What's the meaning of this structure? I'm wondering about the direction of the alias this is suggesting:
- Does it mean field
offsetis type alias, and points to the data inlog.offset?- This will be appropriate for 7.x, for backwards compatibility
- Does it mean field
log.offsetis type alias, and points to the data inoffset?- This would be appropriate if we want to start preparing for ECS in 6.x
Since we may actually do both, I think we should rename the keys of the structures slightly.
I currently read them as "old field is in from" and "new field is in to". However when you read with the strategy in mind, it reads like "alias from offset to log.offset", which is confusing.
What do you think about the following?
- old: offset
new: log.offset
strategy: alias # or copy_toThere was a problem hiding this comment.
I messed up the meaning of which strategy made sense in which version. Updated my comment above :)
There was a problem hiding this comment.
Not a blocker for this PR, just to be clear. Just maybe a thing to rethink in a separate PR
There was a problem hiding this comment.
The structure can still change, what is important right now is that we have a structure way of documenting it. We can focus on naming later.
| @@ -80,8 +80,8 @@ func Load( | |||
| Annotations: Annotations{ | |||
| Event: config.EventMetadata, | |||
| Builtin: common.MapStr{ | |||
| "beat": common.MapStr{ | |||
| "name": name, | |||
| "agent": common.MapStr{ | |||
There was a problem hiding this comment.
@graphaelli I think we should must make it possible for the apm-server to overwrite these fields with the agent information. Meaning we should only set them if they are not already in the event.
There was a problem hiding this comment.
@graphaelli Will make this happen in a follow up PR. Marked it in the ECS tracking issue: #8655
This file should help to track the migration of all files to ECS and then have potential automation on top to convert dashboards and other files which use the fields. This file is extracted from elastic#8873 to make it available in multiple PRs.
This file should help to track the migration of all files to ECS and then have potential automation on top to convert dashboards and other files which use the fields. This file is extracted from #8873 to make it available in multiple PRs.
ruflin
force-pushed
the
ecs-migration-kickoff
branch
2 times, most recently
from
2326942
to
92ad691
Compare
CHANGELOG.asciidoc
Outdated
| @@ -18,6 +18,7 @@ https://github.com/elastic/beats/compare/v6.4.0...master[Check the HEAD diff] | |||
| *Auditbeat* | |||
|
|
|||
| - Use `initial_scan` action for new paths. {pull}7954[7954] | |||
| - Rename beat.name to beat.type, beat.hostname to agent.hostname, beat.version to agent.version. | |||
There was a problem hiding this comment.
Should "Rename beat.name to beat.type" read "Rename beat.name to agent.type"?
dev-tools/ecs-migration.yml
Outdated
|
|
||
|
|
||
| - from: beat.name | ||
| to: agent.name |
There was a problem hiding this comment.
This is not aligned with the changelog. Shouldn't "beat.name" become "beat.type"?
There was a problem hiding this comment.
Haha, I messed up my correction. Yes, "agent.type" :-)
| @@ -79,6 +79,6 @@ def test_beat_fields(self): | |||
|
|
|||
| output = self.read_output() | |||
| doc = output[0] | |||
| assert doc["beat.name"] == "testShipperName" | |||
| assert doc["beat.hostname"] == socket.gethostname() | |||
| assert doc["host.name"] == "testShipperName" | |||
There was a problem hiding this comment.
This should be updated to "host.hostname", no?
There was a problem hiding this comment.
We already have host.name in Beats today since 6.4 and is what is used at the moment everywhere.
| @@ -190,7 +190,7 @@ def _test_expected_events(self, test_file, objects): | |||
|
|
|||
| def clean_keys(obj): | |||
| # These keys are host dependent | |||
| host_keys = ["host.name", "beat.hostname", "beat.name"] | |||
| host_keys = ["host.name", "agent.hostname", "agent.type"] | |||
There was a problem hiding this comment.
Same: "host.name" => "host.hostname"
There was a problem hiding this comment.
So the intention is to stick to "host.name" in 6.x and move to "host.hostname" in 7.x?
There was a problem hiding this comment.
We still need to figure that one out. This PR keeps the same behaviour as we had.
ruflin
force-pushed
the
ecs-migration-kickoff
branch
from
92ad691
to
2d224c8
Compare
ruflin
force-pushed
the
ecs-migration-kickoff
branch
from
2d224c8
to
5a9651a
Compare
The beat.* fields map to agent.* fields in ECS. This PR converts the following fileds: * beat.hostname -> agent.hostname * beat.version -> agent.version `agent.type` is added to indicate which Beat the data comes from. The field `beat.name` is converted to `agent.name` but is only set when it is not the same as the hostname. We already feed the field at the moment into host.name. The main discussion is which field we use by default in our dashboards moving forward. Changed: * Remove old fields from field.yml * Updated changelog * Updated tests and generated files
ruflin
force-pushed
the
ecs-migration-kickoff
branch
from
865c7c5
to
a4b28d9
Compare
ruflin
added
review
and removed
in progress
|
Yeah it's an oversight. It was mentioned in #8873, but I promptly forgot about that :-) So I created issue elastic/ecs#178 to make sure it gets addressed. This is not a concept that's only useful to Beats, I think it also belongs in ECS. See the ECS issue for details, or to discuss the idea. |
The beat.* fields map to agent.* fields in ECS. This PR converts the following fileds: * beat.hostname -> agent.hostname * beat.version -> agent.version `agent.type` is added to indicate which Beat the data comes from. The field `beat.name` is converted to `agent.name` but is only set when it is not the same as the hostname. We already feed the field at the moment into host.name. The main discussion is which field we use by default in our dashboards moving forward. Changed: * Remove old fields from field.yml * Updated changelog * Updated tests and generated files
The beat.* fields map to agent.* fields in ECS. This PR converts the following fileds:
agent.typeis added to indicate which Beat the data comes from. The fieldbeat.nameis converted toagent.namebut is only set when it is not the same as the hostname. We already feed the field at the moment into host.name. The main discussion is which field we use by default in our dashboards moving forward.Changed: