Set log.offset to the start of the reported line in filestream
#30445
Conversation
botelastic
bot
added
the
needs_team
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
|
This pull request does not have a backport label. Could you fix it @kvch? 🙏
NOTE: |
botelastic
bot
removed
the
needs_team
mergify
bot
added
the
backport-skip
kvch
added
backport-7.17
mergify
bot
removed
the
backport-skip
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
| // if the message is empty, there is no need to enrich it with file metadata | ||
| if message.IsEmpty() { | ||
| r.offset += int64(message.Bytes) |
There was a problem hiding this comment.
I don't understand the difference in this change. There are only 2 returns in this function and having r.offset += int64(message.Bytes) before this if covered both and now they are just copied before each return. Why?
There was a problem hiding this comment.
ah, I think I get it now, that's because the value is used in DeepUpdate.
) (cherry picked from commit 8aca673)
) (cherry picked from commit 8aca673)
) (cherry picked from commit 8aca673)
| @@ -41,10 +41,9 @@ func NewFilemeta(r reader.Reader, path string, offset int64) reader.Reader { | |||
| func (r *FileMetaReader) Next() (reader.Message, error) { | |||
| message, err := r.reader.Next() | |||
|
|
|||
| r.offset += int64(message.Bytes) | |||
There was a problem hiding this comment.
Can you add a comment in here noting that log.offset should be the start of the reported line, and not the end? Let's document what the behaviour needs to be and why in the code itself.
There was a problem hiding this comment.
Looks like I was too late :) The commit message will explain it at least.
…nd-k8s-env * upstream/main: fix typos and improve sentences (elastic#30432) Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs (elastic#30440) {,x-pack/}auditbeat: replace uses of github.com/pkg/errors with stdlib equivalents (elastic#30321) Spelling fix (elastic#30439) packetbeat/beater: make sure Npcap installation runs before interfaces are needed in all cases (elastic#30438) Add BC about Homebrew no longer being available in 8.0 (elastic#30419) Install gawk as a replacement for mawk in Docker containers. (elastic#30452) Clean up python-related system tests (elastic#30415) Fix TestNewModuleRegistry flakiness (elastic#30453) [Filebeat] [auditd]: Support EXECVE events with truncated argument list (elastic#30382) Set `log.offset` to the start of the reported line in filestream (elastic#30445) clarify SelectedPackageTypes meaning and improve its usage (elastic#30142) [elasticsearch module] serialize shards properties (elastic#30408) Add docs about hints and templates autodiscovery priority (elastic#30343)
…ckaging-docker * upstream/main: (26 commits) Update docker/distribution to 2.8.0 (elastic#30462) Add `parsers` examples to `filestream` reference configuration (elastic#30529) extend documentation about setting orchestrator.cluster fields (elastic#30518) Forward-port 8.0.1 changelog to main (elastic#30522) Switch skip to use `CI` (elastic#30512) packetbeat/beater: don't attempt to install npcap when already installed (elastic#30509) Fix Docker module: rename fields on dashboards (elastic#30500) fix typos and improve sentences (elastic#30432) Add drop and explicit tests to avoid duplicate ingest of elasticsearch logs (elastic#30440) {,x-pack/}auditbeat: replace uses of github.com/pkg/errors with stdlib equivalents (elastic#30321) Spelling fix (elastic#30439) packetbeat/beater: make sure Npcap installation runs before interfaces are needed in all cases (elastic#30438) Add BC about Homebrew no longer being available in 8.0 (elastic#30419) Install gawk as a replacement for mawk in Docker containers. (elastic#30452) Clean up python-related system tests (elastic#30415) Fix TestNewModuleRegistry flakiness (elastic#30453) [Filebeat] [auditd]: Support EXECVE events with truncated argument list (elastic#30382) Set `log.offset` to the start of the reported line in filestream (elastic#30445) clarify SelectedPackageTypes meaning and improve its usage (elastic#30142) [elasticsearch module] serialize shards properties (elastic#30408) ...
What does this PR do?
This PR fixes the offset reported in
log.offsetfield. Previously, it reported the offset of the end of the line. However, the field documentation says that it should be the start offset of the line. Ref: https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-log.htmlWhy is it important?
Filebeat should comply with ECS.
Checklist
- [ ] I have commented my code, particularly in hard-to-understand areas- [ ] I have made corresponding changes to the documentation- [ ] I have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.