Add multi property to streams #110
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
Trends 🧪 |
|
Based on #108 would be good to pull in some folks to get feedback on this:
|
|
I'm wondering if what we want to repeat is the stream or the full input? Is there a case that we have an input with multiple data streams and we want only one of the data streams to be repeated? |
There was a problem hiding this comment.
I can see a bunch of use cases around database generic queries. Nice. I'm not convinced about the multi property name, but I can't propose anything better (collection? expandable?).
@leehinman could you please add this property to the test package (the (nevermind, I missed it's there)good package)?
There was a problem hiding this comment.
Nothing blocking from the package-registry perspective. I'll leave the final word to the Kibana's representive, @jen-huang .
| description: Can stream be defined multiple times | ||
| type: boolean | ||
| default: false | ||
| examples: |
There was a problem hiding this comment.
nit: well, this is a boolean field. I don't think we need to give an example here :)
++ to @ruflin's question. We discussed this on the Kibana issue back in November: example of only stream repeating, example of full input repeating. Which do you expect Kibana to generate? |
|
@ruflin @jen-huang, just going through PRs today after being on PTO for a week. Seems like this PR is currently blocked on this question:
Looking at the two examples that @jen-huang linked to in her comment, @ruflin can you explain why repeating the full input in the agent config would be better than repeating the data stream? I think understanding the pros/cons of each approach might help move this discussion forward to a resolution. |
|
For the input vs stream part: I don't think one is better than the other, it is more the question on what is trying to be solved here. Looking at elastic/kibana#83141 There are 2 checkboxes, one for the input and one for the stream. But as there is only 1 stream, the two should probably be merged (other issue). If both are merged, the only thing that is left is the input. Where the two differ is on shared config: Repeating the stream would allow to reuse the input config for multiple streams. Repeating the input allows to have different input config for each entry. In the case of osquery, it seems nothing is shared. So the outcome would be the same. Is osquery really using a single data stream for all the data? Or is it more similar to apm and the input configs could even be global. What would be clarifying I think would be seeing a mockup on how it should look in the UI and decide if input configs should be shared or not. |
@james-elastic could you confirm which approach the new osquery integration has taken? |
|
@jamiehynds as of now it's a single output datastream. |
|
@ruflin @leehinman is this PR still valid? |
|
I think it is still valid but would be good to get clarification on #110 (comment) from @leehinman |
For Windows Event logs I think repeating the input is a better fit, this is to support Custom Windows Event Logs, so each entry might need access to every option. |
It sounds like we agree on repeating the full input for this use case. With that in mind, might it be better to add |
|
@jen-huang Agree |
There was a problem hiding this comment.
After understanding what we want the resulting agent yaml to look like, I'd like to see this property moved to the policy_templates.inputs level on the main package manifest instead of at the stream level. This makes more sense from a Kibana perspective too.
leehinman
force-pushed
the
multi-streams
branch
from
f0b22f6
to
3b68995
Compare
Made the change and rebased to master. Let me know if we need to change anything else. Thanks. |
|
Thanks @leehinman Would be good for @jen-huang to have a quick look at it when she is back. @mtojek @sorantis Will this work as expected with thew new introduce of multiple policy_templates? I assume yes but want to make sure I don't miss something. |
|
Please make sure to correct all conflicted files and merge the PR if only the status is green. |
Useful when input for stream may be defined multiple times with only a few parameters changing. For example queries for osquery, or event providers for winlog.
What does this PR do?
Adds multi property to streams.
Why is it important?
Useful when input for stream may be defined multiple times with only a
few parameters changing. For example queries for osquery, or event
providers for winlog.
Checklist
code/go/internal/validator/test/packagesthat prove my change is effective.versions/N/changelog.yml.Related issues