Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adopt parsers in all Filebeat inputs #26130

Closed
10 of 21 tasks
kvch opened this issue Jun 3, 2021 · 8 comments
Closed
10 of 21 tasks

Adopt parsers in all Filebeat inputs #26130

kvch opened this issue Jun 3, 2021 · 8 comments
Labels
Filebeat Filebeat meta Stalled Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team

Comments

@kvch
Copy link
Contributor

kvch commented Jun 3, 2021
edited by thateriksson
Loading

Goal

Parsers are the successors of readers of the log input. They provide a more flexible message parsing. At the moment they are only available in the filestream input. But the functionality could be useful in other inputs.

We have to inspect all available inputs in Filebeat to see if it makes sense to add parsers. If the answer is yes, then the feature should be added.

Parsers

How to add parsers to an input

1. Add parsers code to the input

The parser.Config object has its own Unpack function, so it is enough for you to add it as an attribute to your configuration.

type myInputConfiguration struct {
   // other attributes
    parsers parser.Config `config:",inline"`
}

Then create the parser based on the configuration. The Create function expects a reader.Reader as a parameter it can read from.

var reader reader.Reader
p = inp.config.parsers.Create(reader)

Example configuration accepted by the code above

parsers:
  - multiline:
      type: count
      lines_count: 3

2. Add parsers to the reference configuration

Add the reference configuration to either

  • filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl
  • x-pack/filebeat/_meta/config/filebeat.inputs.reference.yml.tmpl

3. Add parsers to the documentation of the input

There is no common parsers section at the moment because it might not make sense to document all parsers for every input.

Inputs
@kvch kvch added Filebeat Filebeat meta labels Jun 3, 2021
@kvch kvch self-assigned this Jun 3, 2021
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 3, 2021
@kvch kvch added the Team:Elastic-Agent Label for the Agent team label Jun 3, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 3, 2021
@kvch kvch mentioned this issue Jul 14, 2021
Closed
6 tasks
@ascendant512
Copy link

May I vote for multiline in the unix input? It is the closest thing Filebeat has to a fifo. Immensely useful for injecting arbitrary logs with netcat without messing with log directories or restarting Filebeat.

@mjmbischoff mjmbischoff mentioned this issue Aug 22, 2021
Merged
6 tasks
@jlind23 jlind23 added the Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team label Sep 29, 2021
@kvch kvch mentioned this issue Oct 7, 2021
Closed
@belimawr belimawr mentioned this issue Nov 22, 2021
Merged
7 tasks
belimawr added a commit to belimawr/beats that referenced this issue Nov 30, 2021
@belimawr
Adopt parsers in Filebeat's journald input
3c13a10 
One test is added that runs Filebeat reading from a journald file, it
only tests one parser, however that should be enough to ensure parsers
are supported on journald input.

Splits from elastic#26130
belimawr added a commit that referenced this issue Nov 30, 2021
@belimawr
Adopt parsers in Filebeat's journald input (#29070)
8fcad13 
One test is added that runs Filebeat reading from a journald file, it
only tests one parser, however that should be enough to ensure parsers
are supported on journald input.

Splits from #26130
mergify bot pushed a commit that referenced this issue Nov 30, 2021
@belimawr
Adopt parsers in Filebeat's journald input (#29070)
4d9ec89 
One test is added that runs Filebeat reading from a journald file, it
only tests one parser, however that should be enough to ensure parsers
are supported on journald input.

Splits from #26130

(cherry picked from commit 8fcad13)
@jlind23
Copy link
Collaborator

jlind23 commented Dec 3, 2021

@kvch @nimarezainia what are the missing ones on which we should work?
I'll plan them as soon as possible like in 8.2 to clean it up.

belimawr added a commit that referenced this issue Dec 6, 2021
@mergify @belimawr
Adopt parsers in Filebeat's journald input (#29070) (#29203)
96a2a2a 
One test is added that runs Filebeat reading from a journald file, it
only tests one parser, however that should be enough to ensure parsers
are supported on journald input.

Splits from #26130

(cherry picked from commit 8fcad13)

Co-authored-by: Tiago Queiroz <tiago.queiroz@elastic.co>
@kvch
Copy link
Contributor Author

kvch commented Dec 8, 2021

Ideally, all of them. But TCP, UDP, UNIX should be done by our team. For the other inputs, I have to track down others to see if it makes sense to add parsers, and bug them to add if necessary.

@jlind23 jlind23 removed the v8.2.0 label Mar 21, 2022
@jlind23
Copy link
Collaborator

jlind23 commented Mar 21, 2022

@kvch @cmacknz will it be reworked with the input manager changes ongoing? If yes, I would rather postponing it for now. Thoughts?

@jlind23
Copy link
Collaborator

jlind23 commented Mar 28, 2022
edited
Loading

Those are the missing inputs where there is no parsers so far.

@masci those ones seems to belong to the @elastic/obs-cloud-monitoring team. Could you please create the appropriate issues if it's relevant?

  • HTTP Endpoint
  • HTTP JSON
  • Office 365 Management Activity API

@elastic/security-external-integrations those ones seems to belong to your area, could you please create the appropriate issues and check them if it is not needed.

  • MQTT
  • NetFlow
  • Redis

@rameshelastic those ones belongs to the @elastic/obs-service-integrations team, could you take them on your behalf.

@cmacknz those ones belong to us, let's try to make it happened.

@nimarezainia
Copy link
Contributor

@kvch @jlind23 sorry catching this thread a bit late. Isn't filestream and enhancement and ultimately replacing log input? should we be making these changes if they are already available in filestream?

@kvch kvch removed their assignment Jun 27, 2022
@botelastic
Copy link

botelastic bot commented Jul 7, 2023

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jul 7, 2023
@botelastic botelastic bot closed this as completed Jan 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Filebeat Filebeat meta Stalled Team:Elastic-Agent Label for the Agent team Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kvch @nimarezainia @elasticmachine @jlind23 @ascendant512